CVE-2023-51767

NameCVE-2023-51767
DescriptionOpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1059393

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openssh (PTS)buster1:7.9p1-10+deb10u2vulnerable
buster (security)1:7.9p1-10+deb10u4vulnerable
bullseye (security), bullseye1:8.4p1-5+deb11u3vulnerable
bookworm, bookworm (security)1:9.2p1-2+deb12u2vulnerable
trixie, sid1:9.6p1-4vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
opensshsource(unstable)(unfixed)1059393

Notes

[bookworm] - openssh <postponed> (Revisit once hardening/mitigation for Rowhammer type of attack exists)
[bullseye] - openssh <postponed> (Revisit once hardening/mitigation for Rowhammer type of attack exists)
[buster] - openssh <postponed> (Revisit once hardening/mitigation for Rowhammer type of attack exists)
https://arxiv.org/abs/2309.02545

Search for package or bug name: Reporting problems