{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-51767", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-09-22T16:42:44.854Z", "dateReserved": "2023-12-24T00:00:00.000Z", "datePublished": "2023-12-24T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-09-22T16:42:44.854Z"}, "descriptions": [{"lang": "en", "value": "OpenSSH through 10.0, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges. NOTE: this is disputed by the Supplier, who states \"we do not consider it to be the application's responsibility to defend against platform architectural weaknesses.\""}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://arxiv.org/abs/2309.02545"}, {"url": "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878"}, {"url": "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255850"}, {"url": "https://access.redhat.com/security/cve/CVE-2023-51767"}, {"url": "https://ubuntu.com/security/CVE-2023-51767"}, {"url": "https://security.netapp.com/advisory/ntap-20240125-0006/"}, {"url": "https://www.openwall.com/lists/oss-security/2025/09/22/1"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}], "tags": ["disputed"]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T22:48:11.104Z"}, "title": "CVE Program Container", "references": [{"url": "https://arxiv.org/abs/2309.02545", "tags": ["x_transferred"]}, {"url": "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878", "tags": ["x_transferred"]}, {"url": "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77", "tags": ["x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255850", "tags": ["x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-51767", "tags": ["x_transferred"]}, {"url": "https://ubuntu.com/security/CVE-2023-51767", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240125-0006/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openbsd:openssh:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6D7D468-C829-4A4E-8865-E62D8EC5E274", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "OpenSSH through 10.0, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges. NOTE: this is disputed by the Supplier, who states \"we do not consider it to be the application's responsibility to defend against platform architectural weaknesses.\""}, {"lang": "es", "value": "OpenSSH hasta 9.6, cuando se utilizan tipos comunes de DRAM, podr\u00eda permitir row hammer attacks (para omitir la autenticaci\u00f3n) porque el valor entero de autenticado en mm_answer_authpassword no resiste cambios de un solo bit. NOTA: esto es aplicable a un determinado modelo de amenaza de ubicaci\u00f3n conjunta entre atacante y v\u00edctima en el que el atacante tiene privilegios de usuario."}], "id": "CVE-2023-51767", "lastModified": "2025-09-22T17:16:06.300", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-12-24T07:15:07.410", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-51767"}, {"source": "cve@mitre.org", "tags": ["Technical Description"], "url": "https://arxiv.org/abs/2309.02545"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255850"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20240125-0006/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://ubuntu.com/security/CVE-2023-51767"}, {"source": "cve@mitre.org", "url": "https://www.openwall.com/lists/oss-security/2025/09/22/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-51767"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Technical Description"], "url": "https://arxiv.org/abs/2309.02545"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255850"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20240125-0006/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://ubuntu.com/security/CVE-2023-51767"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "openssh: authentication bypass via row hammer attack", "id": "2255850", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255850"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-287", "details": ["OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.", "An authentication bypass vulnerability was found in a modified version of OpenSSH. When common types of DRAM memory are used, it might allow row hammer attacks because the integer value of authenticated authpassword does not resist flips of a single bit. Exploiting a Rowhammer-style attack to flip bits in memory, forces successful authentication by setting the return code to 0."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.\nThere is no upstream solution. Changing the success code logic would break system behavior. Since Rowhammer exploits physical DRAM faults, software-level fixes are ineffective, and no mitigation will be pursued."}, "name": "CVE-2023-51767", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "openssh", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2023-12-24T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-51767\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-51767\nhttps://arxiv.org/abs/2309.02545\nhttps://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/auth-passwd.c#L77\nhttps://github.com/openssh/openssh-portable/blob/8241b9c0529228b4b86d88b1a6076fb9f97e4a99/monitor.c#L878"], "statement": "THIS IS A HARDWARE PROBLEM THAT CANNOT BE FIXED as a software-level fix is ineffective.\nRed Hat has determined this vulnerability to be a Moderate impact because it targets the local system and lacks a widespread impact beyond compromising the integrity of individual processes by exploiting CPU internals and stack variables.\nMORE ABOUT THIS ISSUE:\n\"Mayhem\" is a potent attack technique that focuses on the core components of computing systems, specifically the CPU internals and stack variables. This method signifies a noteworthy advancement in cyber threats, demonstrating the ability to tamper with a computer's memory and compromise both stack and register variables. Capitalizing on the well-known Rowhammer effect, where swift access to a DRAM row induces bit flips in neighboring rows, this attack exploits these bit flips to disrupt stack variables and manipulate register values within a given process. The manipulation is accomplished by targeting register values stored in the process' stack, which, once flushed out to memory, become vulnerable to Rowhammer attacks. When reloaded, these corrupted values cause chaos, compromising the integrity of the entire process. \nIt's important to note that this attack is confined to the local system, leading us to categorize it as a moderate threat.\nAccess to the platform is granted only after successful authentication through multifactor authentication (MFA). Domain accounts are configured to lock out based on predefined access policies, reducing the effectiveness of brute-force attacks on authentication mechanisms. The platform employs IAM roles for identification and authentication within its cloud infrastructure that govern user access to resources and manage provisioning, deployment, and configuration within the platform environment. \nThis reduces the risk of unauthorized access through third-party or external user accounts. Finally, memory protection mechanisms are used to enhance resilience against unauthorized commands or improper authentication.\nThe research presented in the provided link introduces the attack described below: https://arxiv.org/abs/2309.02545", "threat_severity": "Moderate"}