Red Hat Bugzilla – Full Text Bug Listing
|Summary:||CVE-2013-3571 socat: Denial of service due to file descriptor leak|
|Product:||[Other] Security Response||Reporter:||Agostino Sarubbo <ago>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||NEW ---||QA Contact:|
|Fixed In Version:||socat-220.127.116.11, socat-2.0.0-b6||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||967539, 967540|
Description Agostino Sarubbo 2013-05-26 14:46:46 EDT
From oss-security mailing list: Socat security advisory - FD leak Overview Under certain circumstances an FD leak occurs and can be misused for denial of service attacks against socat running in server mode. Vulnerability Id: CVE-2013-3571 Details The issue occurs when a vulnerable version of socat is invoked with a listen type address with option fork and one or more of the options sourceport, lowport, range, or tcpwrap. When socat refuses a client connection due to one of these address or port restrictions it does shutdown() the socket but does not close() it, resulting in a file descriptor leak in the listening process, visible with command lsof and possibly resulting in error EMFILE "Too many open files". Testcase In one terminal run the server: socat -d tcp-listen:10000,reuseaddr,fork,range=0.0.0.0/32 pipe In a second terminal see which FDs are open, then connect (implicitely using a forbidden address), and check if there is a new FD open, e.g.: lsof -p $(pgrep socat) socat /dev/null tcp:localhost:10000 lsof -p $(pgrep socat) If the second lsof shows an additional FD as in the following line, this socat version is vulnerable: socat 17947 gerhard 4u sock 0,6 0t0 1145265 can't identify protocol Workaround Use IP filters in your OS or firewall. Restart socat when it crashed. Affected versions 18.104.22.168 - 22.214.171.124 2.0.0-b1 - 2.0.0-b5 Not affected or corrected versions 126.96.36.199 - 188.8.131.52 184.108.40.206 and later 2.0.0-b6 and later Download The updated sources can be downloaded from: http://www.dest-unreach.org/socat/download/socat-220.127.116.11.tar.gz http://www.dest-unreach.org/socat/download/socat-2.0.0-b6.tar.gz Patch to 18.104.22.168: http://www.dest-unreach.org/socat/download/socat-22.214.171.124.patch.gz Patch to 2.0.0-b5: http://www.dest-unreach.org/socat/download/socat-2.0.0-b6.patch.gz Credits Full credits to Catalin Mitrofan for finding and reporting this issue.
Comment 1 Jan Lieskovsky 2013-05-27 07:50:36 EDT
Upstream advisory: http://www.dest-unreach.org/socat/contrib/socat-secadv4.html
Comment 2 Jan Lieskovsky 2013-05-27 07:55:32 EDT
This issue affects the versions of the socat package, as shipped with Fedora release of 17 and 18. Please schedule an update. -- This issue affects the versions of the socat package, as shipped with Fedora EPEL-5 and Fedora EPEL-6. Please schedule an update.
Comment 3 Jan Lieskovsky 2013-05-27 07:56:29 EDT
Created socat tracking bugs for this issue Affects: fedora-all [bug 967539] Affects: epel-all [bug 967540]
Comment 6 Fedora Update System 2013-06-09 23:22:39 EDT
socat-126.96.36.199-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-06-11 05:05:48 EDT
socat-188.8.131.52-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-06-11 05:09:50 EDT
socat-184.108.40.206-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2013-06-12 16:07:14 EDT
socat-220.127.116.11-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2013-06-12 16:07:45 EDT
socat-18.104.22.168-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.