Full Report
Erlang security advisory (AV26-320)
Analysis Summary
# Vulnerability: Erlang/OTP Multiple Security Flaws (AV26-320)
## CVE Details
*Note: Specific CVE IDs were not explicitly assigned in the brief advisory text, referencing GitHub Security Advisories (GHSA) instead.*
- **Advisory ID:** GHSA-gxrm-pf64-99xm / GHSA-3vhp-h532-mc3f
- **CVSS Score:** Not explicitly provided (Estimated Medium to High)
- **CWE:** CWE-347 (Improper Verification of Cryptographic Signature) / CWE-287 (Improper Authentication)
## Affected Systems
- **Products:**
- Erlang/OTP (Core)
- inets (OTP application)
- ssl (OTP application)
- public_key (OTP application)
- **Versions:**
- **OTP:** Prior to 28.4.2, 27.3.4.10, and 26.2.5.19
- **inets:** Prior to 9.1.0.6, 9.3.2.4, and 9.6.2
- **ssl:** Prior to 11.2.12.7 and 11.5.4
- **public_key:** Prior to 1.17.1.2 and 1.20.3
- **Configurations:** Systems using Erlang's `inets` HTTP server for CGI or systems performing OCSP (Online Certificate Status Protocol) validation.
## Vulnerability Description
This advisory addresses two distinct security issues within the Erlang/OTP ecosystem:
1. **OCSP Authorization Bypass:** A flaw exists in the `public_key` and `ssl` modules regarding the verification of designated responders. The implementation failed to properly follow RFC 6960 ยง4.2.2.2 requirements for signature verification, potentially allowing an attacker to provide fraudulent certificate status information.
2. **CGI Path Mismatch (mod_auth vs mod_cgi):** A vulnerability in the `inets` HTTP server allows `ScriptAlias` CGI targets to bypass directory-based authentication. This occurs due to a path mismatch between how `mod_auth` and `mod_cgi` interpret requested URIs, potentially allowing unauthorized execution of CGI scripts.
## Exploitation
- **Status:** Not exploited (No reports of active exploitation provided in the advisory).
- **Complexity:** Medium
- **Attack Vector:** Network
## Impact
- **Confidentiality:** Partial (Unauthorized access to CGI output).
- **Integrity:** Partial (Potential for certificate validation bypass).
- **Availability:** None reported.
## Remediation
### Patches
Users should upgrade to the following versions or higher:
- **OTP:** 28.4.2, 27.3.4.10, or 26.2.5.19
- **inets:** 9.1.0.6, 9.3.2.4, or 9.6.2
- **ssl:** 11.2.12.7 or 11.5.4
- **public_key:** 1.17.1.2 or 1.20.3
### Workarounds
- For the `inets` CGI issue, ensure that authentication requirements are applied globally or via more restrictive regex patterns until patching is possible.
- Disable OCSP stapling if validation cannot be trusted in the current version.
## Detection
- **Indicators of Compromise:** Unusual CGI execution logs in headers or server logs where `mod_auth` was expected to trigger.
- **Detection Methods:** Review Erlang application versions using `erl -eval 'erlang:display(erlang:system_info(otp_release)), halt().'`.
## References
- Canadian Centre for Cyber Security Advisory: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/erlang-security-advisory-av26-320
- GitHub Security Advisory (OCSP): hxxps[://]github[.]com/erlang/otp/security/advisories/GHSA-gxrm-pf64-99xm
- GitHub Security Advisory (CGI): hxxps[://]github[.]com/erlang/otp/security/advisories/GHSA-3vhp-h532-mc3f
- Erlang Security Page: hxxps[://]github[.]com/erlang/otp/security