Erlang mtproto proxy — Telegram MTproxy implementation vulnerable to RCE
The “Erlang mtproto proxy” Github project, which implements the functionality of the Telegram MTProxy protocol on Erlang by Sergey Prokhorov, is affected by a remote execution code vulnerability.
Info
This vulnerability allows a remote attacker to run arbitrary OS commands from a low-privileged “mtproto-proxy” user via default erlang cookie. You can find more information about this vulnerability in my previous write-up — CouchDB, Erlang and cookies — RCE on default settings.
So far, 1800+ potentially vulnerable hosts have been found on shodan.io, and according to the git commit history, the project is vulnerable since September 2018.
Mitigations
If you are using proxy in your telegram client, go to https://shodan.io/, enter the IP address of your proxy and make sure that port 4369 is not open there. If it is, this server could be compromised and your privacy might be at risk.
If you are the administrator of this server, then you need to close all ports except those necessary, for example, the port for the proxy itself (usually 443) and port 22 for connecting SSH.
You can also migrate to official Telegram MTProto proxy server as an option.
Vendor Advisory
According to Telegram’s security team and third-party sources, all information from the client to the telegram servers is encrypted and the proxy server does not even see your username, only your IP address.
However you can still be tracked to the country/city by IP.
The project does not appear to be active, although the author will confirm that he is going to fix the issue, but there is no exact ETA.
CVE info
Product name: Erlang mtproto proxy
Affected version: 0.7.0 and below
Vulnerability Type: Remote Command Execution
Root Cause: Improperly secured default installation (Erlang cookie)
ID: CVE-2023–45312, CWE-1188
Links
- Erlang mtproto proxy
- MTProxy server by Telegram
- Metasploit module “erlang_cookie_rce”
