Jakub Witczak

**Name of the Vulnerable Software and Affected Versions** Erlang OTP versions 17.0 through 29.0.1 Erlang OTP versions prior to 28.5.0.2 Erlang OTP versions prior to 27.3.4.13 **Description** An issue in the `ssh sftpd` module allows for file discovery through the exposure of sensitive information. The `SSH FXP READLINK` handler sends the raw result of the `file:read link/2` function to the client without using `chroot filename/2` to remove the backend root prefix. Consequently, an authenticated SFTP client can create a symlink inside the chroot pointing to `/`, and reading it back via `SSH FXP READLINK` returns the absolute backend root path (e.g., `/data/sftp`) instead of the chrooted value `/`. This discloses the absolute filesystem path of the SFTP root directory and any symlink targets within it, although file contents, credentials, and paths outside the root directory remain inaccessible. This issue is associated with the file `lib/ssh/src/ssh sftpd.erl` and requires the SFTP subsystem to be enabled with the `root` option configured in the `ssh sftpd:subsystem spec/1` call. **Recommendations** Update Erlang OTP to version 29.0.2 or later. Update Erlang OTP to version 28.5.0.2 or later. Update Erlang OTP to version 27.3.4.13 or later. Use OS-level chroot to run the Erlang VM or SFTP server process in an isolated filesystem environment. Ensure the SFTP server port is not reachable from untrusted machines. Ensure no sensitive information is inferrable from the absolute path of the configured root directory.

**Name of the Vulnerable Software and Affected Versions** Erlang/OTP versions 26.0 through 29.0.1 Erlang/OTP version 28.5.0.1 and earlier Erlang/OTP version 27.3.4.12 and earlier ssl versions 11.0 through 11.7.1 ssl version 11.6.0.1 and earlier ssl version 11.2.12.8 and earlier **Description** An issue in the `inet tls dist` module allows an unauthenticated bypass of the LAN allowlist for Erlang distribution over TLS. The `check ip()` function incorrectly calls `sockname()` instead of `peername()` to retrieve the peer's IP address. Since `sockname()` returns the local socket address, the subnet mask comparison always succeeds regardless of the actual remote address. Consequently, any holder of a CA-signed TLS certificate can bypass LAN restrictions and gain full distribution access to the node, including the ability to use `rpc:call()` and `code:load binary()` functions. **Recommendations** Update Erlang/OTP to version 29.0.2, 28.5.0.2, or 27.3.4.13. Update ssl to version 11.7.2, 11.6.0.2, or 11.2.12.9. Implement a custom `verify fun` SSL option that correctly checks the peer IP address using `peername()` on the socket.

**Name of the Vulnerable Software and Affected Versions** Erlang/OTP versions 29.0 through 29.0.1 ssh versions 6.0 through 6.0.0 **Description** A timing side-channel in password authentication allows unauthenticated remote attackers to enumerate usernames. When the SSH daemon is configured with the `user passwords` or `password` option, the `check password/3()` function in the `ssh auth` module performs a PBKDF2-SHA256 computation for valid usernames, taking approximately 300ms. Conversely, for invalid usernames, the `get password option/2()` function in the `ssh options` module returns immediately. This discrepancy allows an attacker to distinguish between valid and invalid usernames in a single attempt. **Recommendations** Update Erlang/OTP to version 29.0.2 or later. Update ssh to version 6.0.1 or later. Use the `pwdfun` option instead of `user passwords` for password authentication. Restrict SSH port access to trusted networks via firewall rules.

**Name of the Vulnerable Software and Affected Versions** Erlang OTP versions 19.3 through 26.2.5.20 Erlang OTP versions 26.2.5.21 through 27.3.4.11 Erlang OTP versions 27.3.4.12 through 28.5.0.0 Erlang OTP versions 28.5.0.1 through 29.0.0 public key versions 1.4 through 1.15.1.6 public key versions 1.15.1.7 through 1.17.1.2 public key versions 1.17.1.3 through 1.20.3.0 public key versions 1.20.3.1 through 1.21.0 **Description** Improper certificate validation in the `pubkey cert` and `public key` modules allows a DNS nameConstraints bypass during TLS hostname verification. This occurs because `pubkey cert:validate names/6` only checks Subject Alternative Name (SAN) DNS entries against nameConstraints, meaning certificates without a SAN trivially satisfy permitted DNS constraints. Simultaneously, `public key:pkix verify hostname/3` falls back to the subject CommonName when no SAN is present, matching it against the reference hostname. This combination allows a subordinate CA with restricted DNS nameConstraints to issue a leaf certificate that an OTP TLS client accepts for an out-of-scope hostname. This bypass is reachable via `ssl:connect` using `verify peer`, a trusted CA, SNI, and the strict https hostname matcher. **Recommendations** Update Erlang OTP to version 26.2.5.21, 27.3.4.12, 28.5.0.1, or 29.0.1 depending on the current release branch. Update public key to version 1.15.1.7, 1.17.1.3, 1.20.3.1, or 1.21.1 depending on the current release branch. Use the `verify fun` option in the ssl application to ensure TLS connections fail if the end-entity certificate lacks the subjectAltName extension or a domain name, ensuring the `verify fun` does not accept the `name not permitted` error.

**Name of the Vulnerable Software and Affected Versions** Erlang OTP versions 27.0 through 27.3.4.11 Erlang OTP versions prior to 28.5.0.1 Erlang OTP versions prior to 29.0.1 public key versions 1.16 through 1.17.1.2 public key versions prior to 1.20.3.1 public key versions prior to 1.21.1 **Description** Improper Certificate Validation in the `pubkey ocsp` module of Erlang OTP `public key` allows forged Online Certificate Status Protocol (OCSP) responses signed with an expired responder certificate to be accepted as valid. The functions `verify response/5` and `is authorized responder/3` fail to check the validity period (`notBefore`/`notAfter`) of the OCSP responder certificate. An attacker possessing the private key of an expired CA-designated OCSP responder certificate can forge responses that the system accepts. This impacts TLS clients using OCSP stapling via the `ssl` application, potentially allowing a compromised server to present a revoked TLS certificate as valid. It also affects applications directly calling the `pkix ocsp validate/5` function, which may lead to authentication bypass during server-side client certificate validation. **Recommendations** Update Erlang OTP to version 27.3.4.12, 28.5.0.1, or 29.0.1. Update public key to version 1.17.1.3, 1.20.3.1, or 1.21.1. For TLS clients using the `ssl` application, disable OCSP stapling by setting `{stapling, no staple}` in client options or switch to CRL-based revocation checking with `{crl check, true}`. For applications calling `pkix ocsp validate/5` directly, validate the responder certificate's validity period in the application code before calling the function.

**Name of the Vulnerable Software and Affected Versions** Erlang OTP versions 17.0 through 26.2.5.20 Erlang OTP versions 27.x prior to 27.3.4.12 Erlang OTP versions 28.x prior to 28.5.0.1 Erlang OTP versions 29.x prior to 29.0.1 public key versions 0.22 through 1.15.1.6 public key versions 1.17.x prior to 1.17.1.3 public key versions 1.20.x prior to 1.20.3.1 public key versions 1.21.x prior to 1.21.1 **Description** Improper following of a certificate's chain of trust in the `pubkey cert` module allows a non-CA certificate to be accepted as an intermediate issuer, enabling certificate chain forgery. The function `pubkey cert:validate extensions/7` contains flaws where a certificate with `basicConstraints` set to `cA:false` and no `keyUsage` extension can be used as an intermediate issuer in a chain passed to `public key:pkix path validation/3`. This occurs because the `cA:false` clause does not reject the certificate when it is in the issuer position, and the `keyUsage` check is bypassed if the extension is entirely absent. Consequently, an attacker with an end-entity certificate issued by a trusted CA can sign forged leaf certificates for arbitrary identities. This affects all TLS or mTLS endpoints built on the OTP ssl application using the default verifier, including client-side server identity verification and mTLS server client certificate verification. **Recommendations** Update Erlang OTP to version 26.2.5.21, 27.3.4.12, 28.5.0.1, or 29.0.1 depending on the current release branch. Update public key to version 1.15.1.7, 1.17.1.3, 1.20.3.1, or 1.21.1 depending on the current release branch. Use the `verify fun` option in the ssl or public key application to ensure path validation rejects chains where an intermediate certificate lacks `basicConstraints cA:true`.

**Name of the Vulnerable Software and Affected Versions** Erlang OTP versions 17.0 through 28.4.3 Erlang OTP versions 17.0 through 27.3.4.11 Erlang OTP versions 17.0 through 26.2.5.20 **Description** A path traversal issue in the Erlang OTP ssh `ssh sftpd` module allows an authenticated SFTP user to modify file attributes outside the configured chroot directory. The SFTP daemon stores the raw, user-supplied path in file handles instead of the chroot-resolved path. When `SSH FXP FSETSTAT` is issued on such a handle, file attributes like permissions, ownership, and timestamps are modified on the real filesystem path, bypassing the root directory boundary. This requires the server to be configured with the root option and for the target file to exist on the real filesystem at the same relative path. This flaw only allows the modification of file attributes; file contents cannot be read or altered. If the SSH daemon runs as root, an attacker can achieve privilege escalation by setting the setuid bit on binaries, changing ownership of sensitive files, or making system configurations world-writable. The issue is associated with the file `lib/ssh/src/ssh sftpd.erl` and the functions `ssh sftpd:do open/4` and `ssh sftpd:handle op/4`. **Recommendations** Update Erlang OTP to a version later than 28.4.3, 27.3.4.11, or 26.2.5.20 depending on the release branch. Do not use the root option in `ssh sftpd:subsystem spec/1` and instead use OS-level chroot or container isolation to confine SFTP users. Ensure the Erlang VM is not running as a privileged OS user to limit the impact of attribute modifications.

**Name of the Vulnerable Software and Affected Versions** Erlang OTP versions 27.0 through 28.4.2 and 27.3.4.10 public key versions 1.16 through 1.20.3 and 1.17.1.2 ssl versions 11.2 through 11.5.4 and 11.2.12.7 **Description** An issue exists in the public key (pubkey ocsp module) of Erlang OTP related to improper certificate validation. Specifically, the OCSP response validation process does not verify the cryptographic signature of CA-designated responder certificates, relying only on issuer name matching and the OCSPSigning extended key usage. This allows an attacker to forge OCSP responses, potentially marking revoked certificates as valid. This impacts SSL/TLS clients using OCSP stapling and applications directly using the `public key:pkix ocsp validate/5` API. The vulnerable code is located in the files lib/public key/src/pubkey ocsp.erl and program routines `pubkey ocsp:is authorized responder/3`. **Recommendations** For SSL users: Do not enable OCSP validation setting (current default is {stapling, no staple}) Use CRL-based revocation checking by setting the {crl check, true} SSL option instead For applications using `public key:pkix ocsp validate/5` directly: Pass {is trusted responder fun, Fun} option with a function that validates trusted responder certificates Restrict OCSP responder access to trusted endpoints via network controls

**Name of the Vulnerable Software and Affected Versions** Erlang OTP versions 17.0 through 28.4.1 Erlang OTP versions 26.2.5.18 through 27.3.4.9 **Description** An improper limitation of a pathname to a restricted directory, specifically a 'Path Traversal' issue, exists in the Erlang OTP `ssh sftpd` module. The SFTP server uses string prefix matching with the `lists:prefix/2` function instead of proper path component validation when verifying if a path is within the configured root directory. This allows authenticated users to access sibling directories that share a common name prefix with the configured root directory. For example, if the root directory is set to `/home/user1`, paths like `/home/user10` or `/home/user1 backup` could be incorrectly considered within the root. The issue is associated with the program file `lib/ssh/src/ssh sftpd.erl` and the `ssh sftpd:is within root/2` function. **Recommendations** Update Erlang OTP to a version later than 28.4.1. Update Erlang OTP to a version later than 27.3.4.9. Update Erlang OTP to a version later than 26.2.5.18.

**Name of the Vulnerable Software and Affected Versions** Erlang OTP versions 17.0 through 28.4.1 Erlang OTP versions 26.2.5.18 through 27.3.4.9 **Description** An issue exists in Erlang OTP ssh (ssh transport modules) that allows for Denial of Service via Resource Depletion. The SSH transport layer, by default, advertises legacy zlib compression and inflates attacker-controlled payloads without a size limit before authentication. This enables a reliable memory exhaustion attack. Two compression algorithms are affected: zlib, which activates immediately after key exchange, and zlib@openssh.com, which activates post-authentication. Each SSH packet can decompress approximately 255 MB from 256 KB of data, resulting in a 1029:1 amplification ratio. Multiple packets can quickly exhaust available memory, potentially causing Out-Of-Memory (OOM) kills in environments with limited memory. The issue is associated with the `ssh transport.erl` file and the `ssh transport:decompress/2` and `ssh transport:handle packet part/4` routines. **Recommendations** Update Erlang OTP to a version later than 28.4.1. Update Erlang OTP to a version later than 27.3.4.9.

**Name of the Vulnerable Software and Affected Versions** erlang otp versions 1.0 through 6.9 erlang otp version 17.0 erlang otp versions prior to 7.0 **Description** The software contains a Relative Path Traversal and Improper Isolation or Compartmentalization issue. The issue is associated with program files `lib/tftp/src/tftp file.erl` and `src/tftp file.erl`. The vulnerability affects the `tftp file` modules within erlang/otp, inets, and tftp. **Recommendations** erlang otp versions 1.0 through 6.9: At the moment, there is no information about a newer version that contains a fix for this vulnerability. erlang otp version 17.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. erlang otp versions prior to 7.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Erlang OTP versions 17.0 through 28.0.3 Erlang OTP versions 26.2.5.15 through 27.3.4.3 Erlang OTP versions 27.3.4.3 Erlang OTP versions 28.0.3 ssh versions 3.0.1 through 5.3.3 ssh versions 5.1.4.12 ssh versions 5.2.11.3 **Description** An Allocation of Resources Without Limits or Throttling issue exists in Erlang OTP ssh (ssh sftp modules), potentially leading to Excessive Allocation and Resource Leak Exposure. The issue is associated with the `ssh sftpd.erl` file. **Recommendations** Update Erlang OTP to a version later than 28.0.3. Update ssh to a version later than 5.3.3. Update ssh to a version later than 5.2.11.3. Update ssh to a version later than 5.1.4.12.

**Name of the Vulnerable Software and Affected Versions** Erlang OTP versions 17.0 through 28.0.3 Erlang OTP versions 26.2.5.15 Erlang OTP versions 27.3.4.3 **Description** An Allocation of Resources Without Limits or Throttling issue exists in the Erlang OTP ssh (ssh sftp modules), potentially leading to Excessive Allocation and Flooding. The vulnerability is associated with the `ssh sftpd.erl` file. **Recommendations** Update Erlang OTP to a version later than 28.0.3. Update Erlang OTP to a version later than 26.2.5.15. Update Erlang OTP to a version later than 27.3.4.3.

**Name of the Vulnerable Software and Affected Versions** Erlang OTP versions 17.0 through 28.0.3 Erlang OTP versions 26.2.5.15 Erlang OTP versions 27.3.4.3 ssh versions 3.0.1 through 5.3.3 ssh versions 5.1.4.12 ssh versions 5.2.11.3 **Description** An uncontrolled resource consumption issue exists in Erlang OTP ssh (ssh sftp modules), allowing excessive allocation and flooding. The issue is associated with the `ssh sftpd.erl` file. **Recommendations** Update Erlang OTP to a version later than 28.0.3. Update ssh to a version later than 5.3.3. Update ssh to a version later than 5.2.11.3. Update ssh to a version later than 5.1.4.12.

**Name of the Vulnerable Software and Affected Versions** Erlang OTP versions 17.0 through 28.0.3 Erlang OTP versions 26.2.5.15 through 27.3.4.3 Erlang OTP versions 27.3.4.3 Erlang OTP versions 28.0.3 ssh versions 3.0.1 through 5.3.3 ssh versions 5.1.4.12 ssh versions 5.2.11.3 **Description** An Allocation of Resources Without Limits or Throttling issue exists in Erlang OTP ssh (ssh sftp modules), potentially leading to Excessive Allocation and Resource Leak Exposure. The issue is associated with the `ssh sftpd.erl` file. **Recommendations** Update Erlang OTP to a version later than 28.0.3. Update ssh to a version later than 5.3.3. Update ssh to a version later than 5.2.11.3. Update ssh to a version later than 5.1.4.12.