oss-sec mailing list archives

Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH

From: Solar Designer <solar () openwall com>
Date: Fri, 18 Apr 2025 04:30:20 +0200

On Wed, Apr 16, 2025 at 07:28:58PM +0200, Fabian Bäumer wrote:

we (Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, Jörg Schwenk (Ruhr 
University Bochum)) found a critical security vulnerability in the 
Erlang/OTP SSH implementation. The vulnerability allows an attacker with 
network access to an Erlang/OTP SSH server to execute arbitrary code 
without prior authentication. This vulnerability has been assigned 
CVE-2025-32433 with an estimated CVSSv3 of 10.0 
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). The issue is caused by a 
flaw in the SSH protocol message handling which allows an attacker to 
send connection protocol messages prior to authentication.

### Am I affected?

All users running an SSH server based on the Erlang/OTP SSH library are 
likely to be affected by this vulnerability. If your application uses 
Erlang/OTP SSH to provide remote access, assume you are affected.

### Impact

The vulnerability allows an attacker to execute arbitrary code in the 
context of the SSH daemon. If your SSH daemon is running as root, the 
attacker has full access to your device. Consequently, this 
vulnerability may lead to full compromise of hosts, allowing for 
unauthorized access to and manipulation of sensitive data by third 
parties, or denial-of-service attacks.

### Mitigation

Users are advised to update to the latest available Erlang/OTP release. 
Fixed versions are OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. As a 
temporary workaround, access to vulnerable SSH servers can be prevented 
by suitable firewall rules.

### Advisory

An official advisory is available on GitHub: 
https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2


Matt Keeley (CC'ed) has just published an exploit at:

https://github.com/ProDefense/CVE-2025-32433

I'm also attaching the files to this message for archival.  These
correspond to the first and currently the only commit in the above repo,
commit hash 7936ef1cae51717e191328f3f571bf8a69370ce0.  I did not test
this, but at least it doesn't look obviously wrong to me.

I've also already seen an animated GIF of someone else's unreleased
exploit running (probably real), and a fake exploit for this bug on a
pastebin (doesn't look malicious, just fake).

Alexander

Attachment: CVE-2025-32433.py
Description:

Attachment: Dockerfile
Description:

Attachment: ssh_server.erl
Description:

Current thread:

CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH Fabian Bäumer (Apr 16)
- Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH Solar Designer (Apr 17)
- Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH Fabian Bäumer (Apr 18)
  - Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH Solar Designer (Apr 18)
    - Re: CVE-2025-32433: Unauthenticated Remote Code Execution in Erlang/OTP SSH Fabian Bäumer (Apr 19)