Erlang/OTP SSH Unauthenticated Remote Code Execution Vulnerability

A critical vulnerability allowing unauthenticated remote code execution has been identified in the SSH server implementation of Erlang/OTP. This issue affects versions through OTP-27.3.2, OTP-26.2.5.10, and OTP-25.3.2.19, as well as all versions prior to these releases. The vulnerability arises from improper handling of SSH protocol messages, which allows attackers to execute arbitrary commands on the server without authentication. If the SSH daemon runs as root, this could lead to a full compromise of the host.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected system. This could result in a complete compromise of the host, especially if the SSH daemon is running with root privileges.

Reproduction

The vulnerability can be reproduced by sending SSH protocol messages that request the execution of commands before the authentication process is completed. This can be done using a crafted SSH client that bypasses the normal protocol sequence.

Remediation

Users are advised to update to Erlang/OTP versions 27.3.3, 26.2.5.11, or 25.3.2.20. As a temporary measure, the SSH server can be disabled or access can be restricted using firewall rules.