SK Hynix DDR5 Memory Rowhammer Vulnerability Allowing Bit Flips and Privilege Escalation

A vulnerability in SK Hynix DDR5 memory modules, manufactured between December 2021 and December 2024, allows local attackers to exploit Rowhammer effects, causing bit flips that compromise hardware integrity and system security. This vulnerability arises from inadequate refresh mechanisms in the memory, which can be exploited to manipulate data and escalate privileges. The issue persists despite the introduction of on-die ECC, as the error correction is not immediate and can be bypassed by strategic manipulation of memory access patterns.

Impact

Exploitation of this vulnerability leads to unauthorized bit flips in memory, which can be used to corrupt data or manipulate system processes. In a demonstrated attack, these bit flips were exploited to escalate privileges to the root user on a standard desktop system.

Reproduction

The vulnerability can be reproduced using a custom-developed tool named 'Phoenix', which synchronizes with the memory refresh cycles to effectively bypass the built-in Rowhammer mitigations of DDR5. This tool can be applied to any SK Hynix DDR5 DIMM manufactured within the vulnerable timeframe.

Remediation

Users can triple the memory refresh rate to mitigate this vulnerability, a change that incurs a minimal performance overhead. For systems with DDR5, a BIOS update may be available to address this issue, but its effectiveness has not been independently verified.