Raimo Niskanen

**Name of the Vulnerable Software and Affected Versions** Erlang/OTP versions 26.0 through 29.0.1 Erlang/OTP version 28.5.0.1 and earlier Erlang/OTP version 27.3.4.12 and earlier ssl versions 11.0 through 11.7.1 ssl version 11.6.0.1 and earlier ssl version 11.2.12.8 and earlier **Description** An issue in the `inet tls dist` module allows an unauthenticated bypass of the LAN allowlist for Erlang distribution over TLS. The `check ip()` function incorrectly calls `sockname()` instead of `peername()` to retrieve the peer's IP address. Since `sockname()` returns the local socket address, the subnet mask comparison always succeeds regardless of the actual remote address. Consequently, any holder of a CA-signed TLS certificate can bypass LAN restrictions and gain full distribution access to the node, including the ability to use `rpc:call()` and `code:load binary()` functions. **Recommendations** Update Erlang/OTP to version 29.0.2, 28.5.0.2, or 27.3.4.13. Update ssl to version 11.7.2, 11.6.0.2, or 11.2.12.9. Implement a custom `verify fun` SSL option that correctly checks the peer IP address using `peername()` on the socket.

**Name of the Vulnerable Software and Affected Versions** Erlang OTP versions 17.0 through 27.3.4.12 Erlang OTP version 28.5.0.1 Erlang OTP version 29.0.1 erts versions 6.0 through 15.2.7.8 erts version 16.4.0.1 erts version 17.0.1 **Description** A stack-based buffer overflow exists in the `sctp parse error chunk()` function within `erts/emulator/drivers/common/inet drv.c`. The function parses SCTP ERROR chunks and writes cause codes into a fixed-size stack-allocated `spec[]` array without performing bounds checking. An unauthenticated remote attacker with an established SCTP association to a listening port can send a crafted SCTP ERROR chunk containing excessive cause codes to overflow the stack buffer, resulting in a crash of the BEAM VM (Denial of Service). Because the attacker can only write 16-bit values interleaved with a fixed tag, a controlled return address cannot be achieved. Additionally, a crafted SCTP ERROR chunk may leak fragments of Erlang VM memory into the received error packet, though the disclosure scope is limited as the data is already readable by the user running the VM. This issue requires SCTP support to be compiled into OTP and a listening SCTP socket to be opened via `gen sctp` with the default inet backend. **Recommendations** Update Erlang OTP to version 27.3.4.13, 28.5.0.2, or 29.0.2. Update erts to version 15.2.7.9, 16.4.0.2, or 17.0.2.

Name of the Vulnerable Software and Affected Versions Erlang/OTP versions 17.0 through 28.4.2, 27.3.4.10 and 26.2.5.19 Description A predictable number generation issue in the Erlang/OTP kernel's `inet res` and `inet db` modules allows for DNS cache poisoning. The built-in DNS resolver uses a sequential transaction ID for UDP queries and lacks source port randomization. Validation relies heavily on this ID, making it possible for an attacker to forge DNS responses if they can observe a query or predict the next ID. This is inconsistent with RFC 5452 recommendations. The `inet res` resolver is designed for trusted network environments and with trusted recursive resolvers. The affected program files are `lib/kernel/src/inet db.erl` and `lib/kernel/src/inet res.erl`. Recommendations Install Erlang nodes in a trusted network protected from DNS reply spoofing by firewalls, and configure the `inet res` resolver to communicate only with trusted recursive name servers within that network.

**Name of the Vulnerable Software and Affected Versions** erlang otp versions 1.0 through 6.9 erlang otp version 17.0 erlang otp versions prior to 7.0 **Description** The software contains a Relative Path Traversal and Improper Isolation or Compartmentalization issue. The issue is associated with program files `lib/tftp/src/tftp file.erl` and `src/tftp file.erl`. The vulnerability affects the `tftp file` modules within erlang/otp, inets, and tftp. **Recommendations** erlang otp versions 1.0 through 6.9: At the moment, there is no information about a newer version that contains a fix for this vulnerability. erlang otp version 17.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability. erlang otp versions prior to 7.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability.