Full Report
Erlang security advisory (AV26-581)
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Erlang/OTP
## CVE Details
*Note: While the advisory (AV26-581) identifies three distinct security flaws, external CVE identifiers were not explicitly listed in the provided summary. Users should refer to the GitHub Security Advisory (GHSA) links below for official CVE mappings.*
- **CVE ID:** Pending/GHSA-6f4f-chj5-5g97, GHSA-gp7x-mfv6-52cv, GHSA-m75x-4vwg-ggjh
- **CVSS Score:** Not Provided (High/Critical potential due to Buffer Overflow and Auth Leaks)
- **CWE:**
- CWE-121: Stack-based Buffer Overflow
- CWE-522: Insufficiently Protected Credentials
- CWE-284: Improper Access Control
## Affected Systems
- **Products:** Erlang/OTP, erts, inets, ssl
- **Versions:**
- **OTP:** Prior to 27.3.4.13, 28.5.0.2, and 29.0.2
- **erts:** Prior to 15.2.7.9, 16.4.0.2, and 17.0.2
- **inets:** Prior to 9.7.1, 9.6.2.2, and 9.3.2.6
- **ssl:** Prior to 11.7.2, 11.6.0.2, and 11.2.12.9
- **Configurations:** Systems utilizing SCTP error parsing, Distribution-over-TLS with LAN allowlists, or the `httpc` client for requests involving authorization headers and redirects.
## Vulnerability Description
This advisory covers three primary technical flaws:
1. **SCTP Buffer Overflow:** An unbounded stack buffer overflow exists in `inet_drv` during the parsing of SCTP "Error Cause." This can lead to memory corruption.
2. **TLS Allowlist Bypass:** The Distribution-over-TLS mechanism contains a flaw where the LAN allowlist is silently bypassed, potentially allowing unauthorized nodes to connect.
3. **HTTP Header Leak:** The `httpc` library fails to strip the `Authorization` header when following a cross-origin redirect, leaking sensitive credentials to third-party targets.
## Exploitation
- **Status:** PoC status not explicitly stated; likely private or undergoing research.
- **Complexity:** Low to Medium (Credential leaking is generally low complexity).
- **Attack Vector:** Network (Remote exploitation of HTTP redirects or SCTP packets).
## Impact
- **Confidentiality:** High (Leakage of Authorization headers and potential memory exposure).
- **Integrity:** High (Potential for code execution via stack overflow).
- **Availability:** High (Potential for system crashes/DoS via stack overflow).
## Remediation
### Patches
Update to the following versions or higher:
- **OTP:** 27.3.4.13 / 28.5.0.2 / 29.0.2
- **erts:** 15.2.7.9 / 16.4.0.2 / 17.0.2
- **inets:** 9.7.1 / 9.6.2.2 / 9.3.2.6
- **ssl:** 11.7.2 / 11.6.0.2 / 11.2.12.9
### Workarounds
- **For `httpc`:** Disable automatic redirect following for requests requiring authorization headers.
- **For SCTP:** Disable SCTP support if not strictly required by the application.
- **For TLS Distribution:** Implement additional firewall/network-level filtering to augment the bypassed LAN allowlist.
## Detection
- **Indicators of Compromise:** Unusual outbound traffic to unknown third-party domains following a 3xx redirect; unexpected Erlang node connections from unauthorized IPs.
- **Detection Methods:** Monitor system logs for `inet_drv` crashes and audit HTTP client logs for Sensitive Information Disclosure (Authorization headers sent to non-target origins).
## References
- [Canadian Centre for Cyber Security Advisory] hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/erlang-security-advisory-av26-581
- [GHSA-6f4f-chj5-5g97] hxxps[://]github[.]com/erlang/otp/security/advisories/GHSA-6f4f-chj5-5g97
- [GHSA-gp7x-mfv6-52cv] hxxps[://]github[.]com/erlang/otp/security/advisories/GHSA-gp7x-mfv6-52cv
- [GHSA-m75x-4vwg-ggjh] hxxps[://]github[.]com/erlang/otp/security/advisories/GHSA-m75x-4vwg-ggjh
- [Erlang Security Policy] hxxps[://]github[.]com/erlang/otp/security