Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

ZenHammer Attack Targets DRAM on Systems With AMD CPUs

A new Rowhammer attack named ZenHammer has been demonstrated against DRAM on systems with AMD CPUs, including DDR5.

ZenHammer AMD CPU attack

Researchers at the ETH Zürich university in Switzerland have demonstrated that Rowhammer attacks can be conducted against dynamic random-access memory (DRAM) on systems powered by AMD Zen 2 and Zen 3 CPUs. 

First discussed in 2014, Rowhammer attacks involve repeatedly accessing a row of memory in an effort to cause bit flips in adjacent rows. An attacker could use this technique to bypass memory protections, escalate privileges, and even to decrypt sensitive data. Researchers previously demonstrated that attacks can be launched remotely and against mobile devices.

The ETH Zürich researchers now claim to have achieved bit flips on DDR4 memory and for the first time ever even against DDR5. They targeted devices powered by AMD Zen 2 and Zen 3 processors, showing that AMD systems are “equally vulnerable to Rowhammer as Intel systems, which greatly increases the attack surface”.

The researchers claim such attacks, which they have dubbed ZenHammer, can be conducted despite Target Row Refresh (TRR) mitigations, which should detect and prevent Rowhammer attacks by refreshing victim rows before the bits can flip. 

AMD said on Monday that it’s aware of the research. The company continues to investigate some of the claims and has provided recommendations for mitigating attacks. 

The ZenHammer attack, which involves having access to the targeted system, was tested against 10 DDR4 modules from Samsung, Micron and SK Hynix. The experts successfully triggered bit flips on seven DRAM devices on Zen 2 and six DRAM devices on Zen 3 systems. 

“We evaluated the exploitability of these bit flips based on three attacks from previous work: (i) an attack targeting the page frame number of a page table entry (PTE) to pivot it to an attacker-controlled page table page, (ii) an attack on the RSA-2048 public key that allows recovering the associated private key used to authenticate to an SSH host, (iii) and an attack on the password verification logic of the sudoers.so library that enables gaining root privileges,” the researchers explained.

As for the attack targeting DDR5, the researchers did manage to achieve bit flips on a single system that used AMD’s latest Zen 4 platform. 

Advertisement. Scroll to continue reading.

“This is the first public report of DDR5 bit flips on commodity systems in the wild,” the researchers said. “However, given that ZenHammer could not trigger flips on nine out of ten devices, we conclude that more research is necessary to find more effective patterns for DDR5 devices.”

The researchers said that while Rowhammer is a widely known issue, they did notify AMD one month prior to their disclosure. 


AMD has published a security bulletin in response to the ZenHammer research, informing customers that it continues to assess the DDR5 attack claims. 

The chip giant has also provided recommendations for mitigating Rowhammer-style attacks.  

“AMD microprocessor products include memory controllers designed to meet industry-standard DDR specifications. Susceptibility to Rowhammer attacks varies based on the DRAM device, vendor, technology, and system settings. AMD recommends contacting your DRAM or system manufacturer to determine any susceptibility to this new variant of Rowhammer,” AMD said.

Additional details on the ZenHammer attack are available in a technical paper published by the researchers. They have also made available an open source ZenHammer fuzzer that can be used to check DRAM devices for bit flips on AMD Zen 2, 3 and 4 CPUs.

Related: Protected Virtual Machines Exposed to New ‘CacheWarp’ AMD CPU Attack

Related: Half-Double: Google Researchers Find New Rowhammer Attack Technique

Related: AMD CPU Vulnerability ‘Zenbleed’ Can Expose Sensitive Information

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.