CVE-2023-51767 - OpenCVE

OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Enterprise Linux
Openbsd	Openssh
Fedoraproject	Fedora

Configuration 1 [-]

cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

Configuration 3 [-]

OR	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*

References

Link	Resource
https://access.redhat.com/security/cve/CVE-2023-51767	Third Party Advisory
https://arxiv.org/abs/2309.02545	Technical Description
https://bugzilla.redhat.com/show_bug.cgi?id=2255850	Issue Tracking Third Party Advisory
https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77	Product
https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878	Product
https://security.netapp.com/advisory/ntap-20240125-0006/	Third Party Advisory
https://ubuntu.com/security/CVE-2023-51767	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2023-12-24T00:00:00

Updated: 2024-01-25T14:06:38.770250

Reserved: 2023-12-24T00:00:00

Link: CVE-2023-51767

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-12-24T07:15:07.410

Modified: 2024-02-27T15:51:55.813

Link: CVE-2023-51767

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6D7D468-C829-4A4E-8865-E62D8EC5E274", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges."}, {"lang": "es", "value": "OpenSSH hasta 9.6, cuando se utilizan tipos comunes de DRAM, podr\u00eda permitir row hammer attacks (para omitir la autenticaci\u00f3n) porque el valor entero de autenticado en mm_answer_authpassword no resiste cambios de un solo bit. NOTA: esto es aplicable a un determinado modelo de amenaza de ubicaci\u00f3n conjunta entre atacante y v\u00edctima en el que el atacante tiene privilegios de usuario."}], "id": "CVE-2023-51767", "lastModified": "2024-02-27T15:51:55.813", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-24T07:15:07.410", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-51767"}, {"source": "cve@mitre.org", "tags": ["Technical Description"], "url": "https://arxiv.org/abs/2309.02545"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255850"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20240125-0006/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://ubuntu.com/security/CVE-2023-51767"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}