Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH

["Adiletta, Andrew" <ajadiletta () wpi edu>]

Theo,

Even after two years we stand behind our paper and the contributions as outlined. There is nothing more natural for any 
vulnerability researcher to evaluate the most widely used products. If we had doubts about the claim or any of the 
POCs, we would have simply not included them in the paper.

As far as SSH is concerned there are ways to handle synchronization (we outline them in the paper). The POC concept we 
present in the paper should be acceptable to anybody who is fluent in the Rowhammer/microarch attack literature. There 
are numerous results where the target is slowed down to solve synchronization. We don’t brush aside or hide the 
synchronization issue in the paper but discuss it explicitly.

As for the change in the abstract that Damien suggested, we actually were ready to implement it. But then you 
interfered and said it’s not going make a difference.

Regardless, it looks like we should actually clarify the SSH case further with a couple of sentences in the abstract 
and update the arXiv version.


________________________________
From: Theo de Raadt <deraadt () openbsd org>
Sent: Sunday, September 28, 2025 10:12:26 AM
To: Damien Miller <djm () mindrot org>
Cc: Adiletta, Andrew <ajadiletta () wpi edu>; Solar Designer <solar () openwall com>; oss-security () lists openwall 
com <oss-security () lists openwall com>; openssh () openssh com <openssh () openssh com>; Tol, Caner <mtol () wpi 
edu>; Sunar, Berk <sunar () wpi edu>; Doroz, Yarkin <ydoroz () wpi edu>; Todd C. Miller <Todd.Miller () courtesan com>; 
pgut001 () cs auckland ac nz <pgut001 () cs auckland ac nz>
Subject: Re: [EXT] Re: [oss-security] CVE-2023-51767: a bogus CVE in OpenSSH

[Some people who received this message don't often get email from deraadt () openbsd org. Learn why this is important 
at https://aka.ms/LearnAboutSenderIdentification ]

Damien Miller <djm () mindrot org> wrote:

> On Wed, 24 Sep 2025, Adiletta, Andrew wrote:
>
> > Hi Alexander and Team,
> >
> > Thank your for the interest in our paper, and we appreciate all the
> > feedback. We wanted to address two points - the OpenSSH CVE, and the
> > comments from the OpenSSH community about the practicality of the attack.
> >
> > On CVE-2023-51767 (OpenSSH), we did not submit this CVE. Our team
> > coordinates with vendors / software mantainers before submitting CVEs to
> > make sure there is agreement. The CVE description does seem
> > mischaracterized, as this is not a zero-click type vulnability as the CVE
> > suggests, and we would not oppose either a revision or other action. We did
> > work with Todd Miller on a SUDO CVE (CVE-2023-42465), of which we worked
> > with him to release a patch.
> >
> > However, on the practicality, I do believe that we did not mischaracterize
> > the attack in the paper, and as Alexander concisely mentioned, we are really
> > trying to emphasize the issues with simple 0/1 flag logic that leads down to
> > sensitive execution flows.
>
> Sure, but my criticism at the time was that your paper claimed in
> the abstract to have successfully attacked OpenSSH to bypass
> authentication but what was actually attacked was a modified version
> of sshd run in a highly unrealistic and synchronised setting.
>
> IMO this context matters and doesn't detract from your findings.

Andrew, I think you should answer Damien's comment.

I'm a bit more cynical, and think this is very close to open source
community engagement malpractice -- where you picked projects
specifically to increase readership of your paper, and went through the
effort to construct synthetic justification, and I think you should
consider issuing an official apology and/or official retraction of those
statements about OpenSSH being vulnerable.  There you have it, that's my
opinion on this.