Bug 967345 (CVE-2013-3571)

Summary: CVE-2013-3571 socat: Denial of service due to file descriptor leak
Product: [Other] Security Response Reporter: Agostino Sarubbo <ago>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jlieskov, pwouters
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: socat-1.7.2.2, socat-2.0.0-b6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-13 10:53:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 967539, 967540    
Bug Blocks:    

Description Agostino Sarubbo 2013-05-26 18:46:46 UTC 
From oss-security mailing list:

Socat security advisory - FD leak

Overview
  Under certain circumstances an FD leak occurs and can be misused for
  denial of service attacks against socat running in server mode.

Vulnerability Id: CVE-2013-3571

Details
  The issue occurs when a vulnerable version of socat is invoked with a
  listen type address with option fork and one or more of the options
  sourceport, lowport, range, or tcpwrap. When socat refuses a client
  connection due to one of these address or port restrictions it does
  shutdown() the socket but does not close() it, resulting in a file
  descriptor leak in the listening process, visible with command lsof
  and possibly resulting in error EMFILE "Too many open files".

Testcase
  In one terminal run the server:

    socat -d tcp-listen:10000,reuseaddr,fork,range=0.0.0.0/32 pipe

  In a second terminal see which FDs are open, then connect (implicitely
  using a forbidden address), and check if there is a new FD open, e.g.:

    lsof -p $(pgrep socat)
    socat /dev/null tcp:localhost:10000
    lsof -p $(pgrep socat)

  If the second lsof shows an additional FD as in the following line,
  this socat version is vulnerable:

    socat  17947 gerhard  4u  sock  0,6  0t0 1145265 can't identify protocol

Workaround
  Use IP filters in your OS or firewall.
  Restart socat when it crashed.

Affected versions
  1.2.0.0 - 1.7.2.1
  2.0.0-b1 - 2.0.0-b5

Not affected or corrected versions
  1.0.0.0 - 1.1.0.1
  1.7.2.2 and later
  2.0.0-b6 and later

Download
  The updated sources can be downloaded from:

    http://www.dest-unreach.org/socat/download/socat-1.7.2.2.tar.gz
    http://www.dest-unreach.org/socat/download/socat-2.0.0-b6.tar.gz

  Patch to 1.7.2.1:
    http://www.dest-unreach.org/socat/download/socat-1.7.2.2.patch.gz

  Patch to 2.0.0-b5:
    http://www.dest-unreach.org/socat/download/socat-2.0.0-b6.patch.gz

Credits
  Full credits to Catalin Mitrofan for finding and reporting this issue.
Comment 1 Jan Lieskovsky 2013-05-27 11:50:36 UTC 
Upstream advisory:
  http://www.dest-unreach.org/socat/contrib/socat-secadv4.html
Comment 2 Jan Lieskovsky 2013-05-27 11:55:32 UTC 
This issue affects the versions of the socat package, as shipped with Fedora release of 17 and 18. Please schedule an update.

--

This issue affects the versions of the socat package, as shipped with Fedora EPEL-5 and Fedora EPEL-6. Please schedule an update.
Comment 3 Jan Lieskovsky 2013-05-27 11:56:29 UTC 
Created socat tracking bugs for this issue

Affects: fedora-all [bug 967539]
Affects: epel-all [bug 967540]
Comment 6 Fedora Update System 2013-06-10 03:22:39 UTC 
socat-1.7.2.2-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-06-11 09:05:48 UTC 
socat-1.7.2.2-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-06-11 09:09:50 UTC 
socat-1.7.2.2-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2013-06-12 20:07:14 UTC 
socat-1.7.2.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2013-06-12 20:07:45 UTC 
socat-1.7.2.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.