If I interpret the patch correctly the issue seems to be that you could just ask for a channel and do a request_exec before authenticating. The regression test is:
{send, hello},
{send, ssh_msg_kexinit},
{match, #ssh_msg_kexinit{_='_'}, receive_msg},
{send, SshMsgChannelOpen},
{send, SshMsgChannelRequest},
{match, disconnect(), receive_msg}
edit: Ah, found by the people at RUB, they do a lot of research in verifying protocol implementations iirc.
most Elixir deployments are probably unaffected (obviously, please please check to be sure), as SSH is turned off by default.
For folks interested in the Security aspects of Erlang/BEAM languages the guidelines from Security Working Group of the Erlang Ecosystem Foundation are a good resource - https://security.erlef.org/ and https://erlef.org/wg/security
I wrote a GitHub „clone“ a while ago. Implementing Git’s wire and transfer protocol directly in Elixir.
https://git-scm.com/docs/protocol-v2
https://git-scm.com/book/ms/v2/Git-on-the-Server-The-Protoco...
Adding support for Git over SSH was very easy using Erlang built-in SSH libs.
https://github.com/redrabbit/git.limo
https://github.com/redrabbit/git.limo/blob/master/apps/gitgu...
How does this affect servers like ejabberd? I just noticed that they upgraded their server yesterday [0] and am wondering if it could contain some kind of fix for this, or would this be unrelated?
Oops..... we are currently trying to sell an elixir-based greenfield project internally. This doesn't affect elixir by default as other commenters pointed out, but still might make our project a bit harder to pitch to management...
There’s something really strange and upsetting reading this on an archive site that wont be around for much longer..
you could probably write a custom XDP program to parse and check for this payload using a tool like yeet and XDP_DROP it.
you can try our sandbox at https://yeet.cx/play
As I understand it, this is talking about an SSH server built into Erlang/OTP, not e.g. OpenSSH on a server with Erlang installed.
>Any service using Erlang/OTP's SSH library for remote access such as those used in OT/IoT devices, edge computing devices are susceptible to exploitation.
https://thehackernews.com/2025/04/critical-erlangotp-ssh-vul...