Описание
OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.
An authentication bypass vulnerability was found in a modified version of OpenSSH. When common types of DRAM memory are used, it might allow row hammer attacks because the integer value of authenticated authpassword does not resist flips of a single bit. Exploiting a Rowhammer-style attack to flip bits in memory, forces successful authentication by setting the return code to 0.
Отчет
THIS IS A HARDWARE PROBLEM THAT CANNOT BE FIXED as a software-level fix is ineffective. Red Hat has determined this vulnerability to be a Moderate impact because it targets the local system and lacks a widespread impact beyond compromising the integrity of individual processes by exploiting CPU internals and stack variables. MORE ABOUT THIS ISSUE: "Mayhem" is a potent attack technique that focuses on the core components of computing systems, specifically the CPU internals and stack variables. This method signifies a noteworthy advancement in cyber threats, demonstrating the ability to tamper with a computer's memory and compromise both stack and register variables. Capitalizing on the well-known Rowhammer effect, where swift access to a DRAM row induces bit flips in neighboring rows, this attack exploits these bit flips to disrupt stack variables and manipulate register values within a given process. The manipulation is accomplished by targeting register values stored in the process' stack, which, once flushed out to memory, become vulnerable to Rowhammer attacks. When reloaded, these corrupted values cause chaos, compromising the integrity of the entire process. It's important to note that this attack is confined to the local system, leading us to categorize it as a moderate threat. Access to the platform is granted only after successful authentication through multifactor authentication (MFA). Domain accounts are configured to lock out based on predefined access policies, reducing the effectiveness of brute-force attacks on authentication mechanisms. The platform employs IAM roles for identification and authentication within its cloud infrastructure that govern user access to resources and manage provisioning, deployment, and configuration within the platform environment. This reduces the risk of unauthorized access through third-party or external user accounts. Finally, memory protection mechanisms are used to enhance resilience against unauthorized commands or improper authentication. The research presented in the provided link introduces the attack described below: https://arxiv.org/abs/2309.02545
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. There is no upstream solution. Changing the success code logic would break system behavior. Since Rowhammer exploits physical DRAM faults, software-level fixes are ineffective, and no mitigation will be pursued.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | openssh | Out of support scope | ||
| Red Hat Enterprise Linux 7 | openssh | Out of support scope | ||
| Red Hat Enterprise Linux 8 | openssh | Will not fix | ||
| Red Hat Enterprise Linux 9 | openssh | Will not fix |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7 High
CVSS3
Связанные уязвимости
OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.
OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.
OpenSSH through 9.6, when common types of DRAM are used, might allow r ...
OpenSSH through 9.6, when common types of DRAM are used, might allow row hammer attacks (for authentication bypass) because the integer value of authenticated in mm_answer_authpassword does not resist flips of a single bit. NOTE: this is applicable to a certain threat model of attacker-victim co-location in which the attacker has user privileges.
Уязвимость функции mm_answer_authpassword() cредства криптографической защиты OpenSSH, позволяющая нарушителю реализовать атаку Rowhammer и обойти процедуру аутентификации
EPSS
7 High
CVSS3