Summary
A serious vulnerability has been identified in the Erlang/OTP SSH server that may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials.
Am I Affected?
All users running the Erlang/OTP SSH server are impacted by this vulnerability, regardless of the underlying Erlang/OTP version. If your application provides SSH access using the Erlang/OTP SSH library, assume you are affected.
Impact
The vulnerability allows for unauthenticated remote code execution by malicious actors with network access to hosts running an Erlang/OTP SSH server. This could lead to compromise of said hosts, allowing for unauthorized access to and manipulation of sensitive data by third parties, or denial-of-service attacks.
Mitigation
- Update: Users are advised to update to OTP-27.3.3 (for OTP-27), OTP-26.2.5.11 (for OTP-26), or OTP-25.3.2.20 (for OTP-25) to mitigate this issue.
- Temporary Workaround: Until upgrading to a fixed version, we recommend disabling the SSH server or to prevent access via firewall rules.
Affected/Unaffected Versions
A version larger than or equal to one of the listed patched versions is unaffected; otherwise, a version that satisfies the expression listed under affected versions is affected, and if it does not, it is unaffected.
The documentation of the new OTP version scheme describes how versions should be compared. Note that versions used prior to OTP 17.0, when the new OTP version scheme was introduced, are never listed since it is not well defined how to compare those versions.
In the case of this vulnerability, versions prior to OTP 17.0 are likely also affected.
Credits
Thanks to Fabian Bäumer, Marcel Maehren, Marcus Brinkmann, and Jörg Schwenk from the Ruhr University Bochum for finding and responsibly disclosing this vulnerability to the Erlang/OTP project.
TrueSkrillor Finder
lambdafu Finder
Summary
A serious vulnerability has been identified in the Erlang/OTP SSH server that may allow an attacker to perform unauthenticated remote code execution (RCE). By exploiting a flaw in SSH protocol message handling, a malicious actor could gain unauthorized access to affected systems and execute arbitrary commands without valid credentials.
Am I Affected?
All users running the Erlang/OTP SSH server are impacted by this vulnerability, regardless of the underlying Erlang/OTP version. If your application provides SSH access using the Erlang/OTP SSH library, assume you are affected.
Impact
The vulnerability allows for unauthenticated remote code execution by malicious actors with network access to hosts running an Erlang/OTP SSH server. This could lead to compromise of said hosts, allowing for unauthorized access to and manipulation of sensitive data by third parties, or denial-of-service attacks.
Mitigation
Affected/Unaffected Versions
A version larger than or equal to one of the listed patched versions is unaffected; otherwise, a version that satisfies the expression listed under affected versions is affected, and if it does not, it is unaffected.
The documentation of the new OTP version scheme describes how versions should be compared. Note that versions used prior to OTP 17.0, when the new OTP version scheme was introduced, are never listed since it is not well defined how to compare those versions.
In the case of this vulnerability, versions prior to OTP 17.0 are likely also affected.
Credits
Thanks to Fabian Bäumer, Marcel Maehren, Marcus Brinkmann, and Jörg Schwenk from the Ruhr University Bochum for finding and responsibly disclosing this vulnerability to the Erlang/OTP project.