Home page logo
/

oss-sec logo oss-sec mailing list archives

socat security advisory 4 - CVE-2013-3571
From: Gerhard Rieger <gerhard () dest-unreach org>
Date: Sun, 26 May 2013 20:31:14 +0200

Socat security advisory - FD leak

Overview
  Under certain circumstances an FD leak occurs and can be misused for
  denial of service attacks against socat running in server mode.

Vulnerability Id: CVE-2013-3571

Details
  The issue occurs when a vulnerable version of socat is invoked with a
  listen type address with option fork and one or more of the options
  sourceport, lowport, range, or tcpwrap. When socat refuses a client
  connection due to one of these address or port restrictions it does
  shutdown() the socket but does not close() it, resulting in a file
  descriptor leak in the listening process, visible with command lsof
  and possibly resulting in error EMFILE "Too many open files".

Testcase
  In one terminal run the server:

    socat -d tcp-listen:10000,reuseaddr,fork,range=0.0.0.0/32 pipe

  In a second terminal see which FDs are open, then connect (implicitely
  using a forbidden address), and check if there is a new FD open, e.g.:

    lsof -p $(pgrep socat)
    socat /dev/null tcp:localhost:10000
    lsof -p $(pgrep socat)

  If the second lsof shows an additional FD as in the following line,
  this socat version is vulnerable:

    socat  17947 gerhard  4u  sock  0,6  0t0 1145265 can't identify protocol

Workaround
  Use IP filters in your OS or firewall.
  Restart socat when it crashed.

Affected versions
  1.2.0.0 - 1.7.2.1
  2.0.0-b1 - 2.0.0-b5

Not affected or corrected versions
  1.0.0.0 - 1.1.0.1
  1.7.2.2 and later
  2.0.0-b6 and later

Download
  The updated sources can be downloaded from:

    http://www.dest-unreach.org/socat/download/socat-1.7.2.2.tar.gz
    http://www.dest-unreach.org/socat/download/socat-2.0.0-b6.tar.gz

  Patch to 1.7.2.1:
    http://www.dest-unreach.org/socat/download/socat-1.7.2.2.patch.gz

  Patch to 2.0.0-b5:
    http://www.dest-unreach.org/socat/download/socat-2.0.0-b6.patch.gz

Credits
  Full credits to Catalin Mitrofan for finding and reporting this issue.


Attachment: signature.asc
Description: OpenPGP digital signature


  By Date           By Thread  

Current thread:
  • socat security advisory 4 - CVE-2013-3571 Gerhard Rieger (May 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]