Full Report
Erlang security advisory (AV26-651)
Analysis Summary
# Vulnerability: Erlang/OTP Denial of Service in TLS and DTLS
## CVE Details
*Note: Specific CVE IDs were not explicitly listed in the brief advisory summary, but the issues correspond to the following GitHub Security Advisories:*
- **CVE ID:** Pending/Referenced as GHSA-8c57-44c9-pc59 and GHSA-hwfc-5hf4-gvr3
- **CVSS Score:** Not specified (Estimated High)
- **CWE:** CWE-400 (Uncontrolled Resource Consumption)
## Affected Systems
- **Products:** Erlang/OTP (including SSL/TLS and DTLS components)
- **Versions:**
- OTP versions prior to 27.3.4.14, 28.5.0.3, and 29.0.3.
- SSL (OTP) versions prior to 11.7.3, 11.6.0.3, and 11.2.12.10.
- **Configurations:** Erlang-based servers utilizing TLS 1.3 with session tickets enabled, or applications utilizing the DTLS protocol.
## Vulnerability Description
This advisory addresses two distinct Denial-of-Service (DoS) mechanisms within the Erlang/OTP network stack:
1. **TLS 1.3 Session Ticket DoS:** A flaw in how the TLS-1.3 server handles session tickets. An attacker can potentially overwhelm the server's resource management by sending crafted or excessive session ticket requests, leading to service exhaustion.
2. **DTLS Denial of Service:** A separate vulnerability in the Datagram Transport Layer Security (DTLS) implementation that allows an attacker to trigger a crash or hang the service via malformed network packets.
## Exploitation
- **Status:** Vulnerability disclosed; PoC availability is limited but likely reproducible based on the advisory details.
- **Complexity:** Medium
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Can lead to total service unavailability for Erlang-based applications)
## Remediation
### Patches
Maintainers recommend upgrading Erlang/OTP to the following versions or higher:
- **OTP 27:** Upgrade to 27.3.4.14
- **OTP 28:** Upgrade to 28.5.0.3
- **OTP 29:** Upgrade to 29.0.3
For the SSL application specifically:
- **SSL 11.7.x:** Upgrade to 11.7.3
- **SSL 11.6.x:** Upgrade to 11.6.0.3
- **SSL 11.2.x:** Upgrade to 11.2.12.10
### Workarounds
- For the TLS 1.3 issue, disabling Session Tickets on the server side may mitigate the specific attack vector, though this may impact performance for reconnecting clients.
- Restrict access to DTLS services via firewall/ACLs to known trusted IPs where possible.
## Detection
- **Indicators of Compromise:** Unusual spikes in CPU/Memory usage specifically within the Erlang Beam VM process; high volumes of TLS handshake failures in application logs.
- **Detection methods:** Monitor Erlang distribution logs for supervisor reports showing repeated crashes of the SSL/TLS process handlers.
## References
- [Erlang Security Advisory GHSA-8c57-44c9-pc59] - hxxps[://]github[.]com/erlang/otp/security/advisories/GHSA-8c57-44c9-pc59
- [Erlang Security Advisory GHSA-hwfc-5hf4-gvr3] - hxxps[://]github[.]com/erlang/otp/security/advisories/GHSA-hwfc-5hf4-gvr3
- [Erlang Security Central] - hxxps[://]github[.]com/erlang/otp/security