oss-secmailing list archives
Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH
From: Solar Designer <solar () openwall com>
Date: Sat, 19 Apr 2025 01:20:31 +0200
Hi Fabian,Thank you very much for this discovery and for the additional detail.On Fri, Apr 18, 2025 at 02:01:44PM +0200, Fabian Bäumer wrote:
Now, what prevented detection of this vulnerability by tools like SSHambles, is that the server does not respond to these requests.
For others looking this up, it's actually SSHamble (without the "s"):https://www.runzero.com/sshamble/https://github.com/runZeroInc/sshambleHow did your team find this vulnerability? Manual auditing? Differenttool? A formal verification project?
### Am I affected?All users running an SSH server based on the Erlang/OTP SSH library are likely to be affected by this vulnerability. If your application uses Erlang/OTP SSH to provide remote access, assume you are affected.
This has some additional detail on Elixir/Phoenix:https://paraxial.io/blog/erlang-ssh"The default configuration for Phoenix does not expose the Erlang SSHdaemon to the public internet. It is technically possible you arevulnerable if your application does expose Erlang's SSH daemon, forexample Elixir sftp clients do this."Regarding Matt Keeley's exploit I posted yesterday, they now have a blogpost explaining how the exploit was created mostly by AI:https://platformsecurity.com/blog/CVE-2025-32433-pocThat's very impressive, although it might have been helped by the fixcontaining a regression test, which already was almost a public PoC:https://github.com/erlang/otp/commit/6eef04130afc8b0ccb63c9a0d8650209cf54892f#diff-156a6329570e311c82b40c32d19acb37ef6d03339219ea18cd2a2a4e5649c8e5R390as it included the main steps:early_rce(Config) ->[...] {send, hello}, {send, ssh_msg_kexinit}, {match, #ssh_msg_kexinit{_='_'}, receive_msg}, {send, SshMsgChannelOpen}, {send, SshMsgChannelRequest},Alexander
Current thread:
- CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSHFabian Bäumer (Apr 16)
- Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSHSolar Designer (Apr 17)
- Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSHFabian Bäumer (Apr 18)
- Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSHSolar Designer (Apr 18)
- Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSHFabian Bäumer (Apr 19)
- Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSHSolar Designer (Apr 18)