CVE-2023-51767
Published: 24 December 2023
OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.
Notes
Author | Note |
---|---|
seth-arnold | openssh-ssh1 is provided for compatibility with old devices that cannot be upgraded to modern protocols. Thus we may not provide security support for this package if doing so would prevent access to equipment. |
mdeslaur | The researchers used a modified version of sshd to make this vulnerability easier to demonstrate. There is no indication the openssh package in Ubuntu can be exploited in the same way. The upstream OpenSSH developers have chosen to ignore this issue as this vulnerability isn't exploitable in practice, and needs to be addressed by the hardware platform, not in OpenSSH itself. Since there is nothing actionable here for Ubuntu, I am marking this issue as ignored. |
Priority
Status
Package | Release | Status |
---|---|---|
openssh Launchpad, Ubuntu, Debian |
bionic |
Ignored
|
focal |
Ignored
|
|
jammy |
Ignored
|
|
lunar |
Ignored
(end of life, was ignored [2024-01-02])
|
|
mantic |
Ignored
|
|
trusty |
Ignored
|
|
upstream |
Needs triage
|
|
xenial |
Ignored
|
|
openssh-ssh1 Launchpad, Ubuntu, Debian |
bionic |
Ignored
|
focal |
Ignored
|
|
jammy |
Ignored
|
|
lunar |
Ignored
(end of life, was ignored [2024-01-02])
|
|
mantic |
Ignored
|
|
trusty |
Does not exist
|
|
upstream |
Ignored
(frozen on openssh 7.5p)
|
|
xenial |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.0 |
Attack vector | Local |
Attack complexity | High |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |