DoS vulnerability in Erlang distribution over TCP

erlang
blog-posts
security

#1

I’ve mentioned this over in the #security channel in Slack, as well as via Twitter, but I think it’s worth mentioning here too. There is a known vulnerability in Erlang’s TCP distribution module that allows anyone with network access to an Erlang node (a VM started with a short or long name) to bring down the VM.

Further information can be found here:

TL;DR: you should only ever use TCP distribution on a closed network (but you already knew that)

BTW, the author also claims he can derive the cookie value, and therefore take complete control over the node. I remain skeptical about this claim, but in any case, the claim is only valid for auto-generated cookie values, which turn out to have very little entropy. So to be safe, always generate your own cookie values from a good source of randomness.


#2

Yes, we were never interested in that type of security. You should NEVER let anyone you don’t trust to run things on your Erlang/Elixir node. Once you are in you can do anything. There is support for running Erlang distribution over SSL but I would stil put everything behind firewalls and use a VPN.


#3

Sure, and that’s fair enough, but people who are coming on board now may not be aware of the original design goals. So it is important to reiterate the limitations and the best practices every now and then.

Please note that the vulnerability described here does not require running code on an existing cluster node: anyone with access to the network on which the node’s inet_tcp_dist listens (all interfaces by default) can trigger atom creation over a plain TCP socket, and therefore crash the VM in minutes.


#4

Most definitely! Otherwise people will suffer needless pain and mistakenly blame Erlang/Elixir for it.