Bug 2255850 (CVE-2023-51767) - CVE-2023-51767 openssh: authentication bypass via row hammer attack
Summary: CVE-2023-51767 openssh: authentication bypass via row hammer attack
Keywords:
Status: NEW
Alias: CVE-2023-51767
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2255851
Blocks: 2255855
TreeView+ depends on / blocked
 
Reported: 2023-12-25 19:41 UTC by ybuenos
Modified: 2024-02-19 20:17 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An authentication bypass vulnerability was found in OpenSSH. When common types of DRAM memory are used, it might allow row hammer attacks because the integer value of authenticated authpassword does not resist flips of a single bit.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description ybuenos 2023-12-25 19:41:07 UTC 
OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.

https://arxiv.org/abs/2309.02545
https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77
https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878
Comment 1 ybuenos 2023-12-25 19:41:22 UTC 
Created openssh tracking bugs for this issue:

Affects: fedora-all [bug 2255851]
Comment 5 Damien Miller 2024-01-16 07:32:33 UTC 
FYI https://bugzilla.mindrot.org/show_bug.cgi?id=3656
Note You need to log in before you can comment on or make changes to this bug.