Impact
The DTLS server in Erlang/OTP initializes the cookie secret with an empty key during startup, making the cookie computation deterministic; an attacker who observes the plaintext ClientHello can compute a valid cookie before the server rotates the secret, bypassing the source address verification intended to mitigate spoofed clients and force state allocation and cryptographic work; this flaw is a default cryptographic key issue identified as CWE‑1394.
Affected Systems
The vulnerability affects Erlang/OTP releases 20.0 through 28.5 and 27.3; the affected ssl module versions are 8.2 before 11.7.3, 11.6.0.3, and 11.2.12.10, until the firmware is updated to a fixed release such as OTP 29.0.3 or later.
Risk and Exploitability
The CVSS score of 6.3 indicates a medium severity; the vulnerability is not listed in the CISA KEV catalogue, so the current public exploitation probability is unclear; however, the 0–15 second startup window provides a narrow but exploitable period for forging a valid DTLS cookie, enabling source address verification bypass and potentially leading to DTLS handshake amplification and resource exhaustion or denial of service; the flaw does not enable arbitrary code execution or data exfiltration but can degrade service availability and increase network traffic.
OpenCVE Enrichment