CVE-2023-51767 Information
Share on:
Dec 26, 2023
cve
Description
OpenSSH through 9.6 when common types of DRAM are used might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.
Reference
https://arxiv.org/abs/2309.02545 https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878 https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77 https://bugzilla.redhat.com/show_bug.cgi?id=2255850 https://access.redhat.com/security/cve/CVE-2023-51767