As I understand it, this is talking about an SSH server built into Erlang/OTP, not e.g. OpenSSH on a server with Erlang installed.<p>>Any service using Erlang/OTP's SSH library for remote access such as those used in OT/IoT devices, edge computing devices are susceptible to exploitation.<p><a href="https://thehackernews.com/2025/04/critical-erlangotp-ssh-vulnerability.html" rel="nofollow">https://thehackernews.com/2025/04/critical-erlangotp-ssh-vul...</a>
If I interpret the patch correctly the issue seems to be that you could just ask for a channel and do a request_exec before authenticating. The regression test is:<p><pre><code> {send, hello},
{send, ssh_msg_kexinit},
{match, #ssh_msg_kexinit{_='_'}, receive_msg},
{send, SshMsgChannelOpen},
{send, SshMsgChannelRequest},
{match, disconnect(), receive_msg}
</code></pre>
<a href="https://github.com/erlang/otp/commit/6eef04130afc8b0ccb63c9a0d8650209cf54892f">https://github.com/erlang/otp/commit/6eef04130afc8b0ccb63c9a...</a><p>edit: Ah, found by the people at RUB, they do a lot of research in verifying protocol implementations iirc.
most Elixir deployments are probably unaffected (obviously, please please check to be sure), as SSH is turned off by default.<p><a href="https://paraxial.io/blog/erlang-ssh" rel="nofollow">https://paraxial.io/blog/erlang-ssh</a>
For folks interested in the Security aspects of Erlang/BEAM languages the guidelines from <i>Security Working Group of the Erlang Ecosystem Foundation</i> are a good resource - <a href="https://security.erlef.org/" rel="nofollow">https://security.erlef.org/</a> and <a href="https://erlef.org/wg/security" rel="nofollow">https://erlef.org/wg/security</a>
I wrote a GitHub „clone“ a while ago. Implementing Git’s wire and transfer protocol directly in Elixir.<p><a href="https://git-scm.com/docs/protocol-v2" rel="nofollow">https://git-scm.com/docs/protocol-v2</a><p><a href="https://git-scm.com/book/ms/v2/Git-on-the-Server-The-Protocols" rel="nofollow">https://git-scm.com/book/ms/v2/Git-on-the-Server-The-Protoco...</a><p>Adding support for Git over SSH was very easy using Erlang built-in SSH libs.<p><a href="https://github.com/redrabbit/git.limo">https://github.com/redrabbit/git.limo</a><p><a href="https://github.com/redrabbit/git.limo/blob/master/apps/gitgud/lib/gitgud/ssh_server.ex">https://github.com/redrabbit/git.limo/blob/master/apps/gitgu...</a>
How does this affect servers like ejabberd? I just noticed that they upgraded their server yesterday [0] and am wondering if it could contain some kind of fix for this, or would this be unrelated?<p>[0] <a href="https://github.com/processone/ejabberd/releases">https://github.com/processone/ejabberd/releases</a>
Oops..... we are currently trying to sell an elixir-based greenfield project internally. This doesn't affect elixir by default as other commenters pointed out, but still might make our project a bit harder to pitch to management...
you could probably write a custom XDP program to parse and check for this payload using a tool like yeet and XDP_DROP it.<p><a href="https://yeet.cx" rel="nofollow">https://yeet.cx</a><p>you can try our sandbox at <a href="https://yeet.cx/play" rel="nofollow">https://yeet.cx/play</a>