Porting 4 Security Bugs to OTP SSH tag OTP-18.3.4.11

Bmis13 · April 27, 2025, 1:43pm

We are currently using the SSH module from OTP-18.3.4.11, integrated with NSC 4.7.0 and Confd 6.7.3.2 (both leveraging Erlang/OTP 18.3.4.11 from 2016) for Netconf functionality in our product. As these versions are now EOL, we are working to address known security vulnerabilities.

I am seeking assistance in backporting the following security fixes to the OTP-18.3.4.11 branch:

Unauthenticated Remote Code Execution in Erlang/OTP SSH
[KEX init error resulting in excessive memory usage]
(KEX init error results with excessive memory usage · Advisory · erlang/otp · GitHub)
[SSH SFTP packet size not verified properly]
(SSH SFTP packet size not verified properly · Advisory · erlang/otp · GitHub)
[SSL fails to validate incorrect extended key usage]
(ssl fails to validate incorrect extended key usage · Advisory · erlang/otp · GitHub)

Initially, I would appreciate help in identifying the specific commits associated with each of these issues. Following that, any guidance on how to correctly port the changes to the OTP-18.3.4.11 tag would be incredibly helpful.

By way of background, this is my first experience working with the Erlang language—my primary programming experience is in Java, Python, and Bash. While I have successfully built and compiled the OTP-18.3.4.11 branch, navigating the Erlang codebase and syntax is challenging at times.

I reached out to Lukas Larsson, who kindly suggested posting here for community support. I would be very grateful for any advice, guidance, or help that could be provided to assist in patching this older software version.

Thank you very much in advance for your time and support!

Best regards,

Bhavesh

mikpe · April 27, 2025, 4:32pm

The problem with backporting fixes is not just identifying the specific commits for the actual fixes, but any and all dependencies (both explicit and implicit) the fixes depend on. The further back you want to backport things the more work you have to put in both in identifying dependencies, and testing to make sure (a) the fix works, and (b) the backport didn’t break anything.

It might be easier to backport the entire ssh application as-is, but again the issue would be dealing with dependencies.

If you insist on doing this, I’d suggest contracting Erlang Solutions to do the work.

Personally I’d argue that it’s time to upgrade from OTP-18 to something that isn’t EOL.

Bmis13 · April 28, 2025, 4:44am

Thanks for responding. That is the first thing we tried to use OTP-25 and combine it with Ubuntu 18.0.4, and plus we don’t have the NCS and Confd source code. It is with tail-f Cisco. We are just customers using an EOL product. Plus, the beam file format (internal .beam compiled format) slightly changed between OTP 23 ➔ 24 ➔ 25. OTP-18, 19, etc. are too old to understand new BEAM structures, macros, and attributes. We need a drop-in replacement for the following SSH binary. I will contact Erlang Solutions, but if some can identify commits associated with each of the 4 vulnerabilities, it would make it easy to port it. I was planning to do it ourselves, but I need some pointers and some context. I was hoping someone could help identify and we can take it from there.

./lib/ncs/lib/otp/ssh-4.2.2.6.ez

./lib/confd/lib/core/ssh.ez

Thanks,

Bhavesh

ingela · April 28, 2025, 8:12am

The SSL part that that was wrong, does not exist in OTP-18.3.4.11. Although you probably want the public_key fixes. Although OTP-18.3.4.11 is ancient and you would be much better of upgrading your OTP version. It could be possible to take the whole ssh and ssl appliations and sucessfully deploy them in older versions, but it could mean taking public_key and crypto and in some cases stdlib too. And if you need to take crypto or stdlib this might become tricky escpecially going so many releases back.

Bmis13 · April 28, 2025, 11:52pm

./lib/ncs/lib/otp/ssh-4.2.2.6.ez is exactly as OTP-18.3.4.11 so it is drop-in replacement.

But confd ./lib/confd/lib/core/ssh.ez zip file contains beam files not found on lib/ssh/src ? Does anyone from where additional files are being referred ?

DSS.beam
PKCS-1.beam
ssh_cm.beam
ssh_dsa.beam
ssh_math.beam
ssh_rsa.beam
ssh_ssh.beam
ssh_sshd.beam
ssh_tcp.beam
ssh_tcp_wrap.beam
ssh_userauth.beam

Full set of files:
DSS.beam
PKCS-1.beam
ssh.app
ssh_app.beam
ssh.appup
ssh.beam
ssh_bits.beam
ssh_cli.beam
ssh_cm.beam
ssh_dsa.beam
ssh_file.beam
ssh_io.beam
ssh_math.beam
ssh_no_io.beam
ssh_rsa.beam
ssh_sftp.beam
ssh_sftpd.beam
ssh_ssh.beam
ssh_sshd.beam
ssh_tcp.beam
ssh_tcp_wrap.beam
ssh_transport.beam
ssh_userauth.beam
ssh_xfer.beam

ssh.app
%%% This is an -- erlang -- file.

{application, ssh,
[{description, “SSH-2 for Erlang/OTP”},
{vsn, “0.9”},
{modules, [‘DSS’,
‘PKCS-1’,
ssh,
ssh_app,
ssh_bits,
ssh_cli,
ssh_cm,
ssh_dsa,
ssh_file,
ssh_io,
ssh_math,
ssh_no_io,
ssh_rsa,
ssh_sftp,
ssh_sftpd,
ssh_ssh,
ssh_sshd,
ssh_tcp,
ssh_tcp_wrap,
ssh_transport,
ssh_userauth,
ssh_xfer]},
{registered, },
{applications, [kernel, stdlib]},
{env, },
{mod, {ssh_app, }}]}.

mikpe · April 29, 2025, 3:34pm

Looks like they come from an older Erlang/OTP release. Most likely they built the confd you have with something older than OTP-18.

ssh_math was present in R10B up to OTP-17,

fnchooft · April 29, 2025, 5:35pm

Good Afternoon Bhavesh,

I would like to suggest that you ask your questions about ConfD on the new support portal

which you can find here: https://dmap-community.ductus.global.

There you can find a response to the dmap-community about the status of the CVE you are

referring to. Feel free to add your comments and/or questions there.

You can also find more information about the next phases of DMAP ( see the link below )

including support for DMAP after the EOL of the product you are currently using.

Kind regards,

Fabian van ´t Hooft

DMAP: https://ductus.global/ductus-device-management-automation-platform-dmap

vances · April 30, 2025, 3:02am

I was curious about this so I went down the rabbit hole a bit and found that you can still download ConfD Basic from Cisco. The latest version (8.0.17) was released in February 2025. I installed it and determined it is running OTP 22:

2> application:which_applications().
[{netconf,"netconf","1.0"},
 {cli,"cli","1.0"},
 {pam,"pam","1.0"},
 {econfd,"econfd","8.0.17"},
 {cdb,"cdb","1.0"},
 {capi,"capi","1.0"},
 {confd_ssh,"ConfD/NSO library for SSH clients, SSH servers and related utilities",
            "1.0"},
 {ssh,"SSH-2 for Erlang/OTP","4.9.1.3"},
 {public_key,"Public key infrastructure","1.10.0.1"},
 {crypto,"CRYPTO","4.6.5.2"},
 {asn1,"The Erlang ASN1 compiler version 5.0.12","5.0.12"},
 {confd,"confd","1.0"},
 {stdlib,"ERTS  CXC 138 10","3.12.1"},
 {kernel,"ERTS  CXC 138 10","6.5.2.2"}]