←back to thread

Unauthenticated Remote Code Execution in Erlang/OTP SSH

(nvd.nist.gov)
198 points kimi | 9 comments | 17 Apr 25 13:29 UTC | HN request time: 0.001s | source | bottom
Show context
aftbit ◴[17 Apr 25 14:28 UTC] No.43717385[source]
As I understand it, this is talking about an SSH server built into Erlang/OTP, not e.g. OpenSSH on a server with Erlang installed.

>Any service using Erlang/OTP's SSH library for remote access such as those used in OT/IoT devices, edge computing devices are susceptible to exploitation.

https://thehackernews.com/2025/04/critical-erlangotp-ssh-vul...

replies(2): >>43717937 #>>43719581 #
kimi ◴[17 Apr 25 15:02 UTC] No.43717937[source]
Yes - one of the many things that you can find in OTP is a programmable SSH/SCP client and server. The vulnerability is in the server component.

See for example https://blog.differentpla.net/blog/2022/11/01/erlang-ssh/

replies(1): >>43718289 #
davidw ◴[17 Apr 25 15:29 UTC] No.43718289[source]
Erlang, because of its architecture, has something of a habit of people rewriting various protocols in Erlang itself, rather than calling out to some C library.

This has pros and cons.

replies(2): >>43718454 #>>43718607 #
1. innocentoldguy ◴[17 Apr 25 15:39 UTC] No.43718454[source]
This is probably because C NIFs run in the same process as the Erlang scheduler. If you have a long-running or blocking NIF, it can starve the scheduler and cause significant performance degradation across the system.
replies(2): >>43718599 #>>43721295 #
2. natrys ◴[17 Apr 25 15:49 UTC] No.43718599[source]
I think they now have "dirty" NIFs that use a separate scheduler for this.
replies(1): >>43718797 #
3. throwawaymaths ◴[17 Apr 25 16:06 UTC] No.43718797[source]
yes, but there is a finite number of them, by default equal to the number of available cores. If your connection stays in c-land for too long you might run into trouble, if more than one connection are desired.
4. hinkley ◴[17 Apr 25 19:45 UTC] No.43721295[source]
I wonder if there's space for a libuv inspired solution now.
replies(1): >>43723070 #
5. toast0 ◴[17 Apr 25 22:52 UTC] No.43723070[source]
libuv is more or less abstraction around an event loop for async i/o right?

The BEAM is also more or less an abstraction around an event loop for async i/o. If you want async i/o in nifs, I think you want to integrate with BEAM's event loop. Inside NIFs, I think you want to use enif_select [1] (and friends), available since OTP 20 originally from 2017-06-21. In a port driver, you'd use driver_select [2] which I think has been around forever --- there's mentions of changes in R13 which I think was mostly release 2009-11-20 (that may have been R13B though).

[1] https://www.erlang.org/doc/apps/erts/erl_nif.html#enif_selec...

[2] https://www.erlang.org/doc/apps/erts/erl_driver.html#driver_...

replies(1): >>43723271 #
6. hinkley ◴[17 Apr 25 23:19 UTC] No.43723271{3}[source]
It uses different threads in order to make infrequent blocking calls look like they are asynchronous.

When we (or at least some quantity of “we”) want is infrequent native calls to be able to fail without taking the BEAM down.

The problem with doing it with threads though is that a bad thread can still vomit all over working memory, still causing a panic even if it itself doesn’t panic.

replies(1): >>43725727 #
7. toast0 ◴[18 Apr 25 07:04 UTC] No.43725727{4}[source]
Oh I see. If you need to isolate your native code from your BEAM, then you've got several options.

a) run the native code as a separate process; either a port program, a c-node, or just a regular program that you interact with via some interprocess communication (sockets, pipes, signals, a shared filesystem, shared memory segments if you're brave)

b) some sort of sandybox thing; like compile to wasm and then jit back to (hopefully) safe native.

c) just run the native code, it's probably fine, hopefully. My experience with NIFs is that they are usually very short code that should be easy to review, so this isn't as bad as it sounds...

If your native code is short, option c is probably fine; if your native code is long, option a makes more sense. If you want to make things harder without real justification, b sounds good :P

replies(1): >>43730775 #
8. hinkley ◴[18 Apr 25 18:43 UTC] No.43730775{5}[source]
I suspect the confusion of priorities comes from running native code that’s time consuming and wanting it to horizontally scale with your cluster, which is easier if you try to let the beam do it.

While what is easier for those of us not working on the beam is to put the glitchy code into its own service and put up with the maintenance overhead.

But when you have one or two solutions the friction to move to three becomes difficult. People start talking about how having dozens will be chaos. While true, sometimes you really do just need three and it’s not a slippery slope.

replies(1): >>43734673 #
9. toast0 ◴[19 Apr 25 06:40 UTC] No.43734673{6}[source]
> sometimes you really do just need three

If it's worth doing, it's worth doing three times.