You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -60,7 +60,7 @@ In a controlled environment—such as an internal network—this works well. EPM
EPMD itself does not enforce strong authentication. Erlang clustering uses a “cookie” as a shared secret, but this cookie is not intended as a robust security mechanism—it’s more of a sanity check to prevent accidental cross-node connections. If an attacker can guess or brute-force the cookie, they could join your cluster.
Once inside the cluster, the attacker could potentially run arbitrary Erlang Remote Procedure Calls (RPCs), giving them full control of the application and underlying system. While no widespread internet-based attacks on EPMD have been documented publicly, the theoretical risk is real. A known timing-based brute-force approach is described here:
Once inside the cluster, the attacker could potentially run arbitrary Erlang Remote Procedure Calls (RPCs), giving them full control of the application and underlying system. While no widespread internet-based attacks on EPMD have been documented publicly, the theoretical risk is real. A known brute-force approach is described here:
