Description
OpenSSH through 10.0, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges. NOTE: this is disputed by the Supplier, who states "we do not consider it to be the application's responsibility to defend against platform architectural weaknesses."
References (34)
Core 34
Core References
Third Party Advisory
https://access.redhat.com/security/cve/CVE-2023-51767
Technical Description
https://arxiv.org/abs/2309.02545
Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2255850
Third Party Advisory
https://security.netapp.com/advisory/ntap-20240125-0006/
Third Party Advisory
https://ubuntu.com/security/CVE-2023-51767
Scores
CVSS v3
7.0
EPSS
0.0001
EPSS Percentile
0.5%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
Status
published
Products (4)
fedoraproject/fedora
39
openbsd/openssh
redhat/enterprise_linux
8.0
redhat/enterprise_linux
9.0
Published
Dec 24, 2023
Tracked Since
Feb 18, 2026