2255850 – (CVE-2023-51767) CVE-2023-51767 openssh: authentication bypass via row hammer attack

Bug 2255850 (CVE-2023-51767) - CVE-2023-51767 openssh: authentication bypass via row hammer attack

Summary: CVE-2023-51767 openssh: authentication bypass via row hammer attack

Keywords:
Status:	NEW
Alias:	CVE-2023-51767
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2255851
Blocks:	2255855
TreeView+	depends on / blocked

Reported:	2023-12-25 19:41 UTC by ybuenos
Modified:	2025-06-03 14:15 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description ybuenos 2023-12-25 19:41:07 UTC

OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.

https://arxiv.org/abs/2309.02545
https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77
https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878

Comment 1 ybuenos 2023-12-25 19:41:22 UTC

Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 2255851]

Comment 5 Damien Miller 2024-01-16 07:32:33 UTC

FYI https://bugzilla.mindrot.org/show_bug.cgi?id=3656

Note You need to log in before you can comment on or make changes to this bug.