How to remediate – Erlang Port Mapper Daemon Detection

Contents

1. Introduction

Erlang Port Mapper Daemon Detection identifies a port mapping service running on the remote host. This daemon acts as a name server for distributed Erlang computations, potentially exposing systems to unwanted connections and information disclosure. Systems commonly affected are those running Erlang-based applications or services. A successful exploit could lead to information leakage or denial of service.

2. Technical Explanation

The vulnerability occurs when the Erlang Port Mapper Daemon (epmd) is running, listening for connections on a network port. This daemon facilitates communication between Erlang nodes but can be abused by attackers to discover active Erlang nodes and potentially exploit vulnerabilities in those nodes. An attacker could enumerate connected Erlang nodes and attempt further exploitation.

Root cause: The epmd service is running and listening on a network port, which exposes the system’s Erlang node information.
Exploit mechanism: An attacker can connect to the epmd daemon to enumerate active Erlang nodes on the network. This information can then be used for targeted attacks against those nodes.
Scope: Systems running Erlang and utilizing the epmd service are affected, regardless of operating system.

3. Detection and Assessment

To confirm if a system is vulnerable, check if the epmd process is listening on a network port. A thorough method involves examining network connections and identifying the associated Erlang nodes.

Quick checks: Use `netstat -tulnp | grep epmd` to see if the daemon is listening.
Scanning: Nessus plugin ID 13846 can detect running epmd instances as an example.
Logs and evidence: Check system logs for messages related to the epmd service startup or connection attempts.

netstat -tulnp | grep epmd

4. Solution / Remediation Steps

To fix this issue, consider disabling or restricting access to the Erlang Port Mapper Daemon if it is not required for your application’s functionality. If needed, configure firewall rules to limit connections to authorized hosts only.

4.1 Preparation

Dependencies: Ensure that disabling epmd does not impact the functionality of Erlang-based applications. Roll back plan: Re-enable the service and restore the original configuration.
Change window needs: Coordinate with application owners to minimize disruption.

4.2 Implementation

Step 1: Stop the epmd service using `systemctl stop epmd` (or equivalent command for your operating system).
Step 2: Disable the epmd service from starting automatically on boot using `systemctl disable epmd`.

4.3 Config or Code Example

Before

# Systemd service file (example)
[Unit]
Description=Erlang Port Mapper Daemon
...
[Service]
ExecStart=/usr/bin/epmd -daemon
...

After

# Systemd service file (example, disabled)
[Unit]
Description=Erlang Port Mapper Daemon
...
[Service]
ExecStart=/usr/bin/epmd -daemon
Enabled=no
...

4.4 Security Practices Relevant to This Vulnerability

List only practices that directly address this vulnerability type. Use neutral wording and examples instead of fixed advice. For example: least privilege, input validation, safe defaults, secure headers, patch cadence. If a practice does not apply, do not include it.

Practice 1: Least privilege – Only run services with the minimum necessary permissions to reduce the impact if exploited.
Practice 2: Network segmentation – Isolate Erlang nodes on separate network segments to limit exposure.

4.5 Automation (Optional)

# Example Ansible task to disable epmd service
- name: Disable Erlang Port Mapper Daemon
  systemd:
    name: epmd
    enabled: no
    state: stopped

5. Verification / Validation

Confirm the fix by verifying that the epmd service is no longer running and listening on a network port. Re-run the detection methods to ensure the issue has been resolved.

Post-fix check: Run `netstat -tulnp | grep epmd`. Expected output should be empty.
Re-test: Repeat the quick check from section 3; no results should appear.
Monitoring: Monitor system logs for unexpected errors related to Erlang services.

netstat -tulnp | grep epmd

6. Preventive Measures and Monitoring

Suggest only measures that are relevant to the vulnerability type. Use “for example” to keep advice conditional, not prescriptive.

Baselines: Update security baselines to include a check for unnecessary services like epmd.
Pipelines: Implement configuration management tools to enforce service state and prevent unauthorized changes.
Asset and patch process: Regularly review running services on systems to identify and disable unused or vulnerable components.

7. Risks, Side Effects, and Roll Back

Risk or side effect 1: Disabling epmd may impact Erlang-based applications that rely on it for communication.
Roll back: 1) Enable the epmd service using `systemctl enable epmd`. 2) Start the epmd service using `systemctl start epmd`.

8. References and Resources

Vendor advisory or bulletin: http://erlang.org/doc/man/epmd.html
NVD or CVE entry: Not applicable (information level finding).
Product or platform documentation relevant to the fix: http://erlang.org/doc/apps/erts/erl_dist_protocol.html

Updated on December 27, 2025

Was this article helpful?

Yes No