Unauthenticated Remote Code Execution in Erlang/OTP SSH

As I understand it, this is talking about an SSH server built into Erlang&#x2F;OTP, not e.g. OpenSSH on a server with Erlang installed.<p>&gt;Any service using Erlang&#x2F;OTP&#x27;s SSH library for remote access such as those used in OT&#x2F;IoT devices, edge computing devices are susceptible to exploitation.<p><a href="https:&#x2F;&#x2F;thehackernews.com&#x2F;2025&#x2F;04&#x2F;critical-erlangotp-ssh-vulnerability.html" rel="nofollow">https:&#x2F;&#x2F;thehackernews.com&#x2F;2025&#x2F;04&#x2F;critical-erlangotp-ssh-vul...</a>

If I interpret the patch correctly the issue seems to be that you could just ask for a channel and do a request_exec before authenticating. The regression test is:<p><pre><code> {send, hello}, {send, ssh_msg_kexinit}, {match, #ssh_msg_kexinit{_=&#x27;_&#x27;}, receive_msg}, {send, SshMsgChannelOpen}, {send, SshMsgChannelRequest}, {match, disconnect(), receive_msg} </code></pre> <a href="https:&#x2F;&#x2F;github.com&#x2F;erlang&#x2F;otp&#x2F;commit&#x2F;6eef04130afc8b0ccb63c9a0d8650209cf54892f">https:&#x2F;&#x2F;github.com&#x2F;erlang&#x2F;otp&#x2F;commit&#x2F;6eef04130afc8b0ccb63c9a...</a><p>edit: Ah, found by the people at RUB, they do a lot of research in verifying protocol implementations iirc.

most Elixir deployments are probably unaffected (obviously, please please check to be sure), as SSH is turned off by default.<p><a href="https:&#x2F;&#x2F;paraxial.io&#x2F;blog&#x2F;erlang-ssh" rel="nofollow">https:&#x2F;&#x2F;paraxial.io&#x2F;blog&#x2F;erlang-ssh</a>

For folks interested in the Security aspects of Erlang&#x2F;BEAM languages the guidelines from <i>Security Working Group of the Erlang Ecosystem Foundation</i> are a good resource - <a href="https:&#x2F;&#x2F;security.erlef.org&#x2F;" rel="nofollow">https:&#x2F;&#x2F;security.erlef.org&#x2F;</a> and <a href="https:&#x2F;&#x2F;erlef.org&#x2F;wg&#x2F;security" rel="nofollow">https:&#x2F;&#x2F;erlef.org&#x2F;wg&#x2F;security</a>

I wrote a GitHub „clone“ a while ago. Implementing Git’s wire and transfer protocol directly in Elixir.<p><a href="https:&#x2F;&#x2F;git-scm.com&#x2F;docs&#x2F;protocol-v2" rel="nofollow">https:&#x2F;&#x2F;git-scm.com&#x2F;docs&#x2F;protocol-v2</a><p><a href="https:&#x2F;&#x2F;git-scm.com&#x2F;book&#x2F;ms&#x2F;v2&#x2F;Git-on-the-Server-The-Protocols" rel="nofollow">https:&#x2F;&#x2F;git-scm.com&#x2F;book&#x2F;ms&#x2F;v2&#x2F;Git-on-the-Server-The-Protoco...</a><p>Adding support for Git over SSH was very easy using Erlang built-in SSH libs.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;redrabbit&#x2F;git.limo">https:&#x2F;&#x2F;github.com&#x2F;redrabbit&#x2F;git.limo</a><p><a href="https:&#x2F;&#x2F;github.com&#x2F;redrabbit&#x2F;git.limo&#x2F;blob&#x2F;master&#x2F;apps&#x2F;gitgud&#x2F;lib&#x2F;gitgud&#x2F;ssh_server.ex">https:&#x2F;&#x2F;github.com&#x2F;redrabbit&#x2F;git.limo&#x2F;blob&#x2F;master&#x2F;apps&#x2F;gitgu...</a>

How does this affect servers like ejabberd? I just noticed that they upgraded their server yesterday [0] and am wondering if it could contain some kind of fix for this, or would this be unrelated?<p>[0] <a href="https:&#x2F;&#x2F;github.com&#x2F;processone&#x2F;ejabberd&#x2F;releases">https:&#x2F;&#x2F;github.com&#x2F;processone&#x2F;ejabberd&#x2F;releases</a>

Oops..... we are currently trying to sell an elixir-based greenfield project internally. This doesn&#x27;t affect elixir by default as other commenters pointed out, but still might make our project a bit harder to pitch to management...

There’s something really strange and upsetting reading this on an archive site that wont be around for much longer..

you could probably write a custom XDP program to parse and check for this payload using a tool like yeet and XDP_DROP it.<p><a href="https:&#x2F;&#x2F;yeet.cx" rel="nofollow">https:&#x2F;&#x2F;yeet.cx</a><p>you can try our sandbox at <a href="https:&#x2F;&#x2F;yeet.cx&#x2F;play" rel="nofollow">https:&#x2F;&#x2F;yeet.cx&#x2F;play</a>