Date: Sun, 26 May 2013 20:31:14 +0200 From: Gerhard Rieger <gerhard@...t-unreach.org> To: oss-security@...ts.openwall.com Subject: socat security advisory 4 - CVE-2013-3571 Socat security advisory - FD leak Overview Under certain circumstances an FD leak occurs and can be misused for denial of service attacks against socat running in server mode. Vulnerability Id: CVE-2013-3571 Details The issue occurs when a vulnerable version of socat is invoked with a listen type address with option fork and one or more of the options sourceport, lowport, range, or tcpwrap. When socat refuses a client connection due to one of these address or port restrictions it does shutdown() the socket but does not close() it, resulting in a file descriptor leak in the listening process, visible with command lsof and possibly resulting in error EMFILE "Too many open files". Testcase In one terminal run the server: socat -d tcp-listen:10000,reuseaddr,fork,range=0.0.0.0/32 pipe In a second terminal see which FDs are open, then connect (implicitely using a forbidden address), and check if there is a new FD open, e.g.: lsof -p $(pgrep socat) socat /dev/null tcp:localhost:10000 lsof -p $(pgrep socat) If the second lsof shows an additional FD as in the following line, this socat version is vulnerable: socat 17947 gerhard 4u sock 0,6 0t0 1145265 can't identify protocol Workaround Use IP filters in your OS or firewall. Restart socat when it crashed. Affected versions 188.8.131.52 - 184.108.40.206 2.0.0-b1 - 2.0.0-b5 Not affected or corrected versions 220.127.116.11 - 18.104.22.168 22.214.171.124 and later 2.0.0-b6 and later Download The updated sources can be downloaded from: http://www.dest-unreach.org/socat/download/socat-126.96.36.199.tar.gz http://www.dest-unreach.org/socat/download/socat-2.0.0-b6.tar.gz Patch to 188.8.131.52: http://www.dest-unreach.org/socat/download/socat-184.108.40.206.patch.gz Patch to 2.0.0-b5: http://www.dest-unreach.org/socat/download/socat-2.0.0-b6.patch.gz Credits Full credits to Catalin Mitrofan for finding and reporting this issue. Download attachment "signature.asc" of type "application/pgp-signature" (554 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.