CVE-2023-51767

2023-12-2407:15:07

Google

osv.dev

openssh

vulnerability

row hammer attacks

authentication bypass

dram

threat model

user privileges

7 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

20.2%

JSON

OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.

CPENameOperatorVersion
openssh-portableeqV_5_0_P1
openssheq1:9.1p1-1
openssh-portableeqAFTER_FREEBSD_PAM_MERGE
openssheq1:7.9p1-10
openssh-portableeqV_1_2_2_P1
openssheq1:8.0p1-4
openssheq1:8.0p1-6
openssheq1:9.6p1-3
openssh-portableeqPRE-REORDER
openssh-portableeqV_1_2_3_PRE5

Name	Operator	Version
openssh-portable	eq	V_5_0_P1
openssh	eq	1:9.1p1-1
openssh-portable	eq	AFTER_FREEBSD_PAM_MERGE
openssh	eq	1:7.9p1-10
openssh-portable	eq	V_1_2_2_P1
openssh	eq	1:8.0p1-4
openssh	eq	1:8.0p1-6
openssh	eq	1:9.6p1-3
openssh-portable	eq	PRE-REORDER
openssh-portable	eq	V_1_2_3_PRE5