Home page logo

oss-sec logo oss-sec mailing list archives

socat security advisory 4 - CVE-2013-3571
From: Gerhard Rieger <gerhard () dest-unreach org>
Date: Sun, 26 May 2013 20:31:14 +0200

Socat security advisory - FD leak

  Under certain circumstances an FD leak occurs and can be misused for
  denial of service attacks against socat running in server mode.

Vulnerability Id: CVE-2013-3571

  The issue occurs when a vulnerable version of socat is invoked with a
  listen type address with option fork and one or more of the options
  sourceport, lowport, range, or tcpwrap. When socat refuses a client
  connection due to one of these address or port restrictions it does
  shutdown() the socket but does not close() it, resulting in a file
  descriptor leak in the listening process, visible with command lsof
  and possibly resulting in error EMFILE "Too many open files".

  In one terminal run the server:

    socat -d tcp-listen:10000,reuseaddr,fork,range= pipe

  In a second terminal see which FDs are open, then connect (implicitely
  using a forbidden address), and check if there is a new FD open, e.g.:

    lsof -p $(pgrep socat)
    socat /dev/null tcp:localhost:10000
    lsof -p $(pgrep socat)

  If the second lsof shows an additional FD as in the following line,
  this socat version is vulnerable:

    socat  17947 gerhard  4u  sock  0,6  0t0 1145265 can't identify protocol

  Use IP filters in your OS or firewall.
  Restart socat when it crashed.

Affected versions -
  2.0.0-b1 - 2.0.0-b5

Not affected or corrected versions - and later
  2.0.0-b6 and later

  The updated sources can be downloaded from:


  Patch to

  Patch to 2.0.0-b5:

  Full credits to Catalin Mitrofan for finding and reporting this issue.

Attachment: signature.asc
Description: OpenPGP digital signature

  By Date           By Thread  

Current thread:
  • socat security advisory 4 - CVE-2013-3571 Gerhard Rieger (May 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]