Erlang OTP SSH Uncontrolled Resource Consumption Vulnerability in SFTP Module

A vulnerability allowing uncontrolled resource consumption has been identified in the SSH SFTP module of Erlang OTP. This issue, present in OTP versions 17.0 through 28.0.3, as well as in specific 26.x and 27.x versions, arises from the SSH implementation being overly permissive with data from unauthenticated users. Malicious key exchange messages can be crafted to exploit this, leading to excessive CPU and memory usage. The vulnerability is linked to the handling of KEXINIT messages, where a large number of validly sized algorithms can be specified, or cryptographic parameters of excessive size can be introduced, causing disproportionate processing of exception data.

Impact

The vulnerability can be exploited to cause excessive allocation and flooding, leading to increased CPU and memory usage.

Reproduction

The vulnerability can be reproduced by sending a KEXINIT message that includes a large number of algorithms or cryptographic parameters that exceed normal sizes. This can be done using a custom SSH client or by modifying an existing one to include the malicious payloads. Once the message is sent, the SSH server will process the data, leading to increased resource consumption.

Remediation

Users can update to Erlang OTP versions 28.0.4, 27.3.4.3, or 26.2.5.15, where this vulnerability has been patched. Instructions for applying the update can be found in the Erlang/OTP documentation.