Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <088f2e26-c56c-4045-a822-359d468cad2f@rub.de>
Date: Wed, 16 Apr 2025 19:28:58 +0200
From: Fabian Bäumer <fabian.baeumer@....de>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP
 SSH

Hi all,

we (Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, Jörg Schwenk (Ruhr 
University Bochum)) found a critical security vulnerability in the 
Erlang/OTP SSH implementation. The vulnerability allows an attacker with 
network access to an Erlang/OTP SSH server to execute arbitrary code 
without prior authentication. This vulnerability has been assigned 
CVE-2025-32433 with an estimated CVSSv3 of 10.0 
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). The issue is caused by a 
flaw in the SSH protocol message handling which allows an attacker to 
send connection protocol messages prior to authentication.

### Am I affected?

All users running an SSH server based on the Erlang/OTP SSH library are 
likely to be affected by this vulnerability. If your application uses 
Erlang/OTP SSH to provide remote access, assume you are affected.

### Impact

The vulnerability allows an attacker to execute arbitrary code in the 
context of the SSH daemon. If your SSH daemon is running as root, the 
attacker has full access to your device. Consequently, this 
vulnerability may lead to full compromise of hosts, allowing for 
unauthorized access to and manipulation of sensitive data by third 
parties, or denial-of-service attacks.

### Mitigation

Users are advised to update to the latest available Erlang/OTP release. 
Fixed versions are OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. As a 
temporary workaround, access to vulnerable SSH servers can be prevented 
by suitable firewall rules.

### Advisory

An official advisory is available on GitHub: 
https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2

Best regards,

Fabian Bäumer

-- 
M. Sc. Fabian Bäumer

Chair for Network and Data Security
Ruhr University Bochum
Universitätsstr. 150, Building MC 4/145
44780 Bochum
Germany


Download attachment "smime.p7s" of type "application/pkcs7-signature" (6214 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.