Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20250418023020.GA13179@openwall.com>
Date: Fri, 18 Apr 2025 04:30:20 +0200
From: Solar Designer <solar@...nwall.com>
To: Fabian Bäumer <fabian.baeumer@....de>
Cc: oss-security@...ts.openwall.com, Matt Keeley <keeley55@...com>
Subject: Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH

On Wed, Apr 16, 2025 at 07:28:58PM +0200, Fabian Bäumer wrote:
> we (Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, Jörg Schwenk (Ruhr 
> University Bochum)) found a critical security vulnerability in the 
> Erlang/OTP SSH implementation. The vulnerability allows an attacker with 
> network access to an Erlang/OTP SSH server to execute arbitrary code 
> without prior authentication. This vulnerability has been assigned 
> CVE-2025-32433 with an estimated CVSSv3 of 10.0 
> (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). The issue is caused by a 
> flaw in the SSH protocol message handling which allows an attacker to 
> send connection protocol messages prior to authentication.
> 
> ### Am I affected?
> 
> All users running an SSH server based on the Erlang/OTP SSH library are 
> likely to be affected by this vulnerability. If your application uses 
> Erlang/OTP SSH to provide remote access, assume you are affected.
> 
> ### Impact
> 
> The vulnerability allows an attacker to execute arbitrary code in the 
> context of the SSH daemon. If your SSH daemon is running as root, the 
> attacker has full access to your device. Consequently, this 
> vulnerability may lead to full compromise of hosts, allowing for 
> unauthorized access to and manipulation of sensitive data by third 
> parties, or denial-of-service attacks.
> 
> ### Mitigation
> 
> Users are advised to update to the latest available Erlang/OTP release. 
> Fixed versions are OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. As a 
> temporary workaround, access to vulnerable SSH servers can be prevented 
> by suitable firewall rules.
> 
> ### Advisory
> 
> An official advisory is available on GitHub: 
> https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2

Matt Keeley (CC'ed) has just published an exploit at:

https://github.com/ProDefense/CVE-2025-32433

I'm also attaching the files to this message for archival.  These
correspond to the first and currently the only commit in the above repo,
commit hash 7936ef1cae51717e191328f3f571bf8a69370ce0.  I did not test
this, but at least it doesn't look obviously wrong to me.

I've also already seen an animated GIF of someone else's unreleased
exploit running (probably real), and a fake exploit for this bug on a
pastebin (doesn't look malicious, just fake).

Alexander

View attachment "CVE-2025-32433.py" of type "text/plain" (3969 bytes)

View attachment "Dockerfile" of type "text/plain" (886 bytes)

View attachment "ssh_server.erl" of type "text/plain" (589 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.