←back to thread

Unauthenticated Remote Code Execution in Erlang/OTP SSH

(nvd.nist.gov)
198 points kimi | 2 comments | 17 Apr 25 13:29 UTC | HN request time: 0.001s | source
Show context
aftbit ◴[17 Apr 25 14:28 UTC] No.43717385[source]
As I understand it, this is talking about an SSH server built into Erlang/OTP, not e.g. OpenSSH on a server with Erlang installed.

>Any service using Erlang/OTP's SSH library for remote access such as those used in OT/IoT devices, edge computing devices are susceptible to exploitation.

https://thehackernews.com/2025/04/critical-erlangotp-ssh-vul...

replies(2): >>43717937 #>>43719581 #
kimi ◴[17 Apr 25 15:02 UTC] No.43717937[source]
Yes - one of the many things that you can find in OTP is a programmable SSH/SCP client and server. The vulnerability is in the server component.

See for example https://blog.differentpla.net/blog/2022/11/01/erlang-ssh/

replies(1): >>43718289 #
davidw ◴[17 Apr 25 15:29 UTC] No.43718289[source]
Erlang, because of its architecture, has something of a habit of people rewriting various protocols in Erlang itself, rather than calling out to some C library.

This has pros and cons.

replies(2): >>43718454 #>>43718607 #
innocentoldguy ◴[17 Apr 25 15:39 UTC] No.43718454[source]
This is probably because C NIFs run in the same process as the Erlang scheduler. If you have a long-running or blocking NIF, it can starve the scheduler and cause significant performance degradation across the system.
replies(2): >>43718599 #>>43721295 #
1. natrys ◴[17 Apr 25 15:49 UTC] No.43718599{4}[source]
I think they now have "dirty" NIFs that use a separate scheduler for this.
replies(1): >>43718797 #
2. throwawaymaths ◴[17 Apr 25 16:06 UTC] No.43718797[source]
yes, but there is a finite number of them, by default equal to the number of available cores. If your connection stays in c-land for too long you might run into trouble, if more than one connection are desired.