Unauthenticated Remote Code Execution in Erlang/OTP SSH

(nvd.nist.gov)

198 points kimi | 1 comments | 17 Apr 25 13:29 UTC | HN request time: 0s | source

Show context

aftbit ◴[17 Apr 25 14:28 UTC] No.43717385[source]▶

As I understand it, this is talking about an SSH server built into Erlang/OTP, not e.g. OpenSSH on a server with Erlang installed.

>Any service using Erlang/OTP's SSH library for remote access such as those used in OT/IoT devices, edge computing devices are susceptible to exploitation.

https://thehackernews.com/2025/04/critical-erlangotp-ssh-vul...

replies(2): >>43717937 #>>43719581 #

rollcat ◴[17 Apr 25 17:06 UTC] No.43719581[source]▶

>>43717385 #

This is why I generally do not rely on SSH servers other than OpenSSH. It's (by far) the most widely deployed implementation, thoroughly battle-tested, etc. It's also hard to actually get pwned; the OpenBSD[1] guys believe in security as the default.

There's some value in avoiding a monoculture, or choosing different trade-offs (e.g. binary size, memory usage). But as exemplified by this incident, any incentives must be carefully weighted against the risks. SSH is your final line of defence.

[1]: https://www.openbsd.org/donations.html

replies(3): >>43720311 #>>43720798 #>>43722007 #

1. PhilipRoman ◴[17 Apr 25 18:58 UTC] No.43720798[source]▶

>>43719581 #

I also have this principle, although I make an exception for https://tinyssh.org

↑