Advisory ID: ZPE-NG-2024-003
First Published: Oct 01, 2024
CVE ID: CVE-2023-51767 (details on NIST.gov)
CVSSv3 Base Score: 7.0 (High)

OpenSSH, when common types of DRAM are used, might allow rowhammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.

Affected Nodegrid OS Versions

• All Nodegrid OS versions.

Nodegrid OS is used in the following products:

• Nodegrid Serial Console
• Nodegrid Serial Console Plus
• Nodegrid Net Services Router
• Nodegrid Gate SR
• Nodegrid Link SR
• Nodegrid Bold SR
• Nodegrid Hive SR
• Nodegrid Mini SR
• Nodegrid Manager
• Nodegrid Virtual Services Router

Impact

This vulnerability could theoretically lead to authentication bypass.

The attack has only been demonstrated in a modified environment which facilitated the attack, and is improbable to succeed in production environments.

The use of ASLR, Address-Space Layout Randomization, implemented at the Operating System level by the Linux kernel, makes the attack less likely to succeed.

Nodegrid Net Services Router, Gate SR, Hive SR, and Serial Console Plus employs DDR4 memory which are less susceptible to bit flips, making this vulnerability harder to exploit and hence less likely to succeed.

Mitigations

Solutions

References

1. Mayhem: Targeted Corruption of Register and Stack Variables
   
2. ABACuS: All-Bank Activation Counters for Scalable and Low Overhead RowHammer Mitigation
   
3. 3656 – How to fix row hammer attacks？ 
   
4. CVE-2023-51767 | Ubuntu 
   
5. CVE-2023-51767 Common Vulnerabilities and Exposures 
   
6. cve-details 
   
7. CVE-2023-51767