[v2.3] socat 1.2.0.0 - 1.7.2.1, 2.0.0-b1 - 2.0.0-b5 (CVE-2013-3571)
Overview
Under certain circumstances an FD leak occurs and can be misused for
denial of service attacks against socat running in server mode.
Vulnerability Id: CVE-2013-3571
Details
The issue occurs when a vulnerable version of socat is invoked with a
listen type address with option fork and one or more of the options
sourceport, lowport, range, or tcpwrap. When socat refuses a client
connection due to one of these address or port restrictions it does
shutdown() the socket but does not close() it, resulting in a file
descriptor leak in the listening process, visible with command lsof
and possibly resulting in error EMFILE “Too many open files”.
Testcase
In one terminal run the server:
socat -d tcp-listen:10000,reuseaddr,fork,range=0.0.0.0/32 pipe
In a second terminal see which FDs are open, then connect (implicitely
using a forbidden address), and check if there is a new FD open, e.g.:
lsof -p $(pgrep socat)
socat /dev/null tcp:localhost:10000
lsof -p $(pgrep socat)
If the second lsof shows an additional FD as in the following line,
this socat version is vulnerable:
socat 17947 gerhard 4u sock 0,6 0t0 1145265 can’t identify protocol
Workaround
Use IP filters in your OS or firewall.
Restart socat when it crashed.
Affected versions
1.2.0.0 - 1.7.2.1
2.0.0-b1 - 2.0.0-b5
Not affected or corrected versions
1.0.0.0 - 1.1.0.1
1.7.2.2 and later
2.0.0-b6 and later
Download
The updated sources can be downloaded from:
http://www.dest-unreach.org/socat/download/socat-1.7.2.2.tar.gz
http://www.dest-unreach.org/socat/download/socat-2.0.0-b6.tar.gz
Patch to 1.7.2.1:
http://www.dest-unreach.org/socat/download/socat-1.7.2.2.patch.gz
Patch to 2.0.0-b5:
http://www.dest-unreach.org/socat/download/socat-2.0.0-b6.patch.gz
Credits
Full credits to Catalin Mitrofan for finding and reporting this issue.
(from redmine: issue id 2011, created on 2013-05-27, closed on 2013-05-28)
- Relations:
- parent #2000 (closed)
- Changesets:
- Revision 337ebba8 by Natanael Copa on 2013-05-27T16:53:15Z:
main/socat: security upgrade to 1.7.2.2 (CVE-2013-3571)
ref #2000
fixes #2011
(cherry picked from commit b9d344ff691b31bdf9a9e33d1937d0959bbbd72a)
Conflicts:
main/socat/APKBUILD