- The Phoenix Rowhammer variant affects DDR5 office systems, bypassing all the attenuations known on the SK HYNIX fleas
- The attackers can obtain root access and steal the RSA keys in a few minutes using the default system settings
- Researchers recommend cooling prices because DRAM devices cannot be corrected and remain vulnerable in the long term
Standard quality of production office systems were, for the first time, found vulnerable to a variant of Rowhammer, a safety vulnerability based on equipment affecting DDR5 fleas.
Rowhammer affects the dynamic random access memory (DRAM) and allows attackers to manipulate the content of the memory by accessing several times – “hammering” – a specific line of memory cells.
This causes electrical interferences that can return the bits in adjacent lines, without actually accessing these lines, and leads to climbing privileges, remote exploits and different mobile vulnerabilities.
Climbing of privileges and root access
Vulnerability was identified for the first time over ten years ago and was discussed several times by fixes. However, as RAM fleas improve – and the memory cells are getting closer – the risk of hammer attacks in rows increases.
The last discovery is called Phoenix and is followed as CVE-2025-6202. He received a gravity score of 7.1 / 10 (high) and successfully bypasses all the attenuations known on the chips built by the manufacturer of South Korean semiconductors Sk Hynix.
“We have proven that the trigger of Bit Rowhammer net reliably turns on the DDR5 devices of SK Hynix is possible on a larger scale,” said Eth Zürich. “We have also proven that the ECC on Die does not stop Rowhammer, and the end -to -end attacks Rowhammer are always possible with DDR5.”
Researchers say they can trigger the climbing of privileges and obtain root access on a DDR5 system with default parameters in less than two minutes. Practical use includes theft of RSA-2048 keys to a roommate virtual machine, breaking SSH authentication. A separate scenario includes the use of binary sudo to increase local privileges to the root user.
“As DRAM devices in the wild cannot be updated, they will remain vulnerable for many years,” analysts said in the newspaper. “We recommend that you increase the refreshment rate to 3x, which prevented Phoenix from triggering bits flips on our test systems.” In this context, it should perhaps be mentioned that after Rowhammer was disclosed for the first time in 2014, suppliers like Intel and the manufacturers of DRAM introduced increased cooling rates and refreshing mechanisms of target lines (TRR) as mitigation measures.
Via The Hacker News
