DESCRIPTION LAST UPDATED: 2023-12-11
DEFAULT SEVERITY LEVEL: HIGH
Introduction
This report identifies accessible Erlang Port Mapper Daemon (EPMD) servers on port 4369/tcp. This daemon acts as a name server for hosts involved in distributed Erlang computations. It is included in Erlang/OTP. As described by Erlang:
Erlang is a programming language used to build massively scalable soft real-time systems with requirements on high availability. Some of its uses are in telecoms, banking, e-commerce, computer telephony and instant messaging. Erlang’s runtime system has built-in support for concurrency, distribution and fault tolerance.
OTP is set of Erlang libraries and design principles providing middle-ware to develop these systems.
EPMD on port 4369/tcp is used by default on RabbitMQ and Apache CouchDB installations.
As of 2022-06-01 we find around 116 000 EPMD instances accessible.
How we scan
We scan by sending a “\x00\x01\x6e” request to retrieve a list of nodes with their respective ports to the default EPMD port (4369/tcp) and collect the response.
You can replicate our scan by running nmap -sV -Pn -n -T4 -p 4369 –script epmd-info <IP>
We do not perform any intrusive checks on a discovered service.
Dashboard
You can track latest EPMD scan results on the Shadowserver Dashboard.
Mitigation
It is unlikely that you need to have an EPMD server allowing for external connections from the Internet (and thus a possible external attack surface). If you do receive this report from us for your network or constituency make sure to firewall traffic to this service.
In some cases access may be exploitable. A recent example is a CVSS 9.8 remote code execution vulnerability in Apache CouchDB (CVE-2022-24706).
Severity levels are described here.
For more information on our scanning efforts, check out our Internet scanning summary page.
Filename: scan_epmd