Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH

["Theo de Raadt" <deraadt () openbsd org>]

Damien Miller <djm () mindrot org> wrote:

> On Wed, 24 Sep 2025, Adiletta, Andrew wrote:
>
> > Hi Alexander and Team,
> >
> > Thank your for the interest in our paper, and we appreciate all the
> > feedback. We wanted to address two points - the OpenSSH CVE, and the
> > comments from the OpenSSH community about the practicality of the attack. 
> >
> > On CVE-2023-51767 (OpenSSH), we did not submit this CVE. Our team
> > coordinates with vendors / software mantainers before submitting CVEs to
> > make sure there is agreement. The CVE description does seem
> > mischaracterized, as this is not a zero-click type vulnability as the CVE
> > suggests, and we would not oppose either a revision or other action. We did
> > work with Todd Miller on a SUDO CVE (CVE-2023-42465), of which we worked
> > with him to release a patch. 
> >
> > However, on the practicality, I do believe that we did not mischaracterize
> > the attack in the paper, and as Alexander concisely mentioned, we are really
> > trying to emphasize the issues with simple 0/1 flag logic that leads down to
> > sensitive execution flows. 
>
> Sure, but my criticism at the time was that your paper claimed in
> the abstract to have successfully attacked OpenSSH to bypass
> authentication but what was actually attacked was a modified version
> of sshd run in a highly unrealistic and synchronised setting.
>
> IMO this context matters and doesn't detract from your findings.

Andrew, I think you should answer Damien's comment.

I'm a bit more cynical, and think this is very close to open source
community engagement malpractice -- where you picked projects
specifically to increase readership of your paper, and went through the
effort to construct synthetic justification, and I think you should
consider issuing an official apology and/or official retraction of those
statements about OpenSSH being vulnerable.  There you have it, that's my
opinion on this.