HIGH: Accessible Erlang Port Mapper Daemon Report

DESCRIPTION LAST UPDATED: 2023-12-11

DEFAULT SEVERITY LEVEL: HIGH

Introduction

This report identifies accessible Erlang Port Mapper Daemon (EPMD) servers on port 4369/tcp. This daemon acts as a name server for hosts involved in distributed Erlang computations. It is included in Erlang/OTP. As described by Erlang:

Erlang is a programming language used to build massively scalable soft real-time systems with requirements on high availability. Some of its uses are in telecoms, banking, e-commerce, computer telephony and instant messaging. Erlang’s runtime system has built-in support for concurrency, distribution and fault tolerance.

OTP is set of Erlang libraries and design principles providing middle-ware to develop these systems.

EPMD on port 4369/tcp is used by default on RabbitMQ and Apache CouchDB installations.

As of 2022-06-01 we find around 116 000 EPMD instances accessible.

How we scan 

We scan by sending a “\x00\x01\x6erequest to retrieve a list of nodes with their respective ports to the default EPMD port (4369/tcp) and collect the response.

You can replicate our scan by running nmap -sV -Pn -n -T4 -p 4369 –script epmd-info <IP>

We do not perform any intrusive checks on a discovered service.

Dashboard

You can track latest EPMD scan results on the Shadowserver Dashboard.

Mitigation

It is unlikely that you need to have an EPMD server allowing for external connections from the Internet (and thus a possible external attack surface). If you do receive this report from us for your network or constituency make sure to firewall traffic to this service.

In some cases access may be exploitable. A recent example is a CVSS 9.8 remote code execution vulnerability in Apache CouchDB (CVE-2022-24706).

Severity levels are described here.

For more information on our scanning efforts, check out our Internet scanning summary page.

Filename: scan_epmd

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that response came on (always TCP)
  • port
    Port that is being queried (port 4369)
  • hostname
    Reverse DNS name of the device in question
  • tag
    Tag set to "epmd"
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • sector
    Sector the identified device belongs to
  • nodes
    List of Erlang nodes discovered, with port numbers

Sample

"timestamp","severity","ip","protocol","port","hostname","tag","asn","geo","region","city","naics","hostname_source","sector","nodes"
"2010-02-10 00:00:00",high,192.168.0.1,tcp,4369,node01.example.com,epmd,64512,ZZ,Region,City,0,ptr,,"val_miner,34429"
"2010-02-10 00:00:01",high,192.168.0.2,tcp,4369,node02.example.com,epmd,64512,ZZ,Region,City,0,ptr,"Communications, Service Provider, and Hosting Service","rabbit,25672"
"2010-02-10 00:00:02",high,192.168.0.3,tcp,4369,node03.example.com,epmd,64512,ZZ,Region,City,0,,"Communications, Service Provider, and Hosting Service","rabbit,25672"



Our 132 Report Types