by aftbit on 4/17/2025, 2:28:26 PM
by formerly_proven on 4/17/2025, 3:31:46 PM
If I interpret the patch correctly the issue seems to be that you could just ask for a channel and do a request_exec before authenticating. The regression test is:
{send, hello},
{send, ssh_msg_kexinit},
{match, #ssh_msg_kexinit{_='_'}, receive_msg},
{send, SshMsgChannelOpen},
{send, SshMsgChannelRequest},
{match, disconnect(), receive_msg}
edit: Ah, found by the people at RUB, they do a lot of research in verifying protocol implementations iirc.
by throwawaymaths on 4/17/2025, 4:05:26 PM
most Elixir deployments are probably unaffected (obviously, please please check to be sure), as SSH is turned off by default.
by rramadass on 4/17/2025, 2:43:29 PM
For folks interested in the Security aspects of Erlang/BEAM languages the guidelines from Security Working Group of the Erlang Ecosystem Foundation are a good resource - https://security.erlef.org/ and https://erlef.org/wg/security
by marioflach on 4/17/2025, 9:39:26 PM
I wrote a GitHub „clone“ a while ago. Implementing Git’s wire and transfer protocol directly in Elixir.
https://git-scm.com/docs/protocol-v2
https://git-scm.com/book/ms/v2/Git-on-the-Server-The-Protoco...
Adding support for Git over SSH was very easy using Erlang built-in SSH libs.
https://github.com/redrabbit/git.limo
https://github.com/redrabbit/git.limo/blob/master/apps/gitgu...
by qwertox on 4/17/2025, 4:22:20 PM
How does this affect servers like ejabberd? I just noticed that they upgraded their server yesterday [0] and am wondering if it could contain some kind of fix for this, or would this be unrelated?
by aposm on 4/17/2025, 5:22:28 PM
Oops..... we are currently trying to sell an elixir-based greenfield project internally. This doesn't affect elixir by default as other commenters pointed out, but still might make our project a bit harder to pitch to management...
by bilekas on 4/17/2025, 5:04:32 PM
There’s something really strange and upsetting reading this on an archive site that wont be around for much longer..
by r3tr0 on 4/17/2025, 7:25:11 PM
you could probably write a custom XDP program to parse and check for this payload using a tool like yeet and XDP_DROP it.
you can try our sandbox at https://yeet.cx/play
As I understand it, this is talking about an SSH server built into Erlang/OTP, not e.g. OpenSSH on a server with Erlang installed.
>Any service using Erlang/OTP's SSH library for remote access such as those used in OT/IoT devices, edge computing devices are susceptible to exploitation.
https://thehackernews.com/2025/04/critical-erlangotp-ssh-vul...