dest-unreach / socat / contrib / security advisory 4

Socat security advisory 4 - FD leak

Overview

Under certain circumstances an FD leak occurs and can be misused for denial of service attacks against socat running in server mode.

Vulnerability Ids

CVE-2013-3571

Details

The issue occurs when a vulnerable version of socat is invoked with a listen type address with option fork and one or more of the options sourceport, lowport, range, or tcpwrap. When socat refuses a client connection due to one of these address or port restrictions it does shutdown() the socket but does not close() it, resulting in a file descriptor leak in the listening process, visible with command lsof and possibly resulting in error EMFILE "Too many open files".

Testcase

In one terminal run the server:

socat -d tcp-listen:10000,reuseaddr,fork,range=0.0.0.0/32 pipe

In a second terminal see which FDs are open, then connect (implicitely using a forbidden address), and check if there is a new FD open, e.g.:

lsof -p $(pgrep socat)
socat /dev/null tcp:localhost:10000
lsof -p $(pgrep socat)

If the second lsof shows an additional FD as in the following line, this socat version is vulnerable:

socat 17947 gerhard 4u sock 0,6 0t0 1145265 can't identify protocol

Workaround

Use IP filters in your OS or firewall.

Restart socat when it crashed.

Affected versions

1.2.0.0 - 1.7.2.1

2.0.0-b1 - 2.0.0-b5

Not affected or corrected versions

1.0.0.0 - 1.1.0.1

1.7.2.2 and later

2.0.0-b6 and later

Download

The updated sources can be downloaded from:

• http://www.dest-unreach.org/socat/download/socat-1.7.2.2.tar.gz
• http://www.dest-unreach.org/socat/download/socat-2.0.0-b6.tar.gz

Patch to 1.7.2.1:

• http://www.dest-unreach.org/socat/download/socat-1.7.2.2.patch.gz

Patch to 2.0.0-b5:

• http://www.dest-unreach.org/socat/download/socat-2.0.0-b6.patch.gz

Credits

Full credits to Catalin Mitrofan for finding and reporting this issue.