CVE-2023-51767

Published: 24 December 2023

OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.

Notes

openssh-ssh1 is provided for compatibility with old devices
that cannot be upgraded to modern protocols. Thus we may not
provide security support for this package if doing so would
prevent access to equipment.

The researchers used a modified version of sshd to make this
vulnerability easier to demonstrate. There is no indication
the openssh package in Ubuntu can be exploited in the same way.

The upstream OpenSSH developers have chosen to ignore this issue
as this vulnerability isn't exploitable in practice, and needs
to be addressed by the hardware platform, not in OpenSSH itself.

Since there is nothing actionable here for Ubuntu, I am marking
this issue as ignored.

Status

Severity score breakdown

References

• https://arxiv.org/abs/2309.02545
• https://www.cve.org/CVERecord?id=CVE-2023-51767
• NVD
• Launchpad
• Debian

Bugs

• http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059393
• https://bugzilla.mindrot.org/show_bug.cgi?id=3656