Bug 967345 - (CVE-2013-3571) CVE-2013-3571 socat: Denial of service due to file descriptor leak
CVE-2013-3571 socat: Denial of service due to file descriptor leak
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
Unspecified Unspecified
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130526,repor...
: Security
Depends On: 967539 967540
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-26 14:46 EDT by Agostino Sarubbo
Modified: 2015-07-31 03:06 EDT (History)
2 users (show)

See Also:
Fixed In Version: socat-1.7.2.2, socat-2.0.0-b6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Agostino Sarubbo 2013-05-26 14:46:46 EDT
From oss-security mailing list:

Socat security advisory - FD leak

Overview
  Under certain circumstances an FD leak occurs and can be misused for
  denial of service attacks against socat running in server mode.

Vulnerability Id: CVE-2013-3571

Details
  The issue occurs when a vulnerable version of socat is invoked with a
  listen type address with option fork and one or more of the options
  sourceport, lowport, range, or tcpwrap. When socat refuses a client
  connection due to one of these address or port restrictions it does
  shutdown() the socket but does not close() it, resulting in a file
  descriptor leak in the listening process, visible with command lsof
  and possibly resulting in error EMFILE "Too many open files".

Testcase
  In one terminal run the server:

    socat -d tcp-listen:10000,reuseaddr,fork,range=0.0.0.0/32 pipe

  In a second terminal see which FDs are open, then connect (implicitely
  using a forbidden address), and check if there is a new FD open, e.g.:

    lsof -p $(pgrep socat)
    socat /dev/null tcp:localhost:10000
    lsof -p $(pgrep socat)

  If the second lsof shows an additional FD as in the following line,
  this socat version is vulnerable:

    socat  17947 gerhard  4u  sock  0,6  0t0 1145265 can't identify protocol

Workaround
  Use IP filters in your OS or firewall.
  Restart socat when it crashed.

Affected versions
  1.2.0.0 - 1.7.2.1
  2.0.0-b1 - 2.0.0-b5

Not affected or corrected versions
  1.0.0.0 - 1.1.0.1
  1.7.2.2 and later
  2.0.0-b6 and later

Download
  The updated sources can be downloaded from:

    http://www.dest-unreach.org/socat/download/socat-1.7.2.2.tar.gz
    http://www.dest-unreach.org/socat/download/socat-2.0.0-b6.tar.gz

  Patch to 1.7.2.1:
    http://www.dest-unreach.org/socat/download/socat-1.7.2.2.patch.gz

  Patch to 2.0.0-b5:
    http://www.dest-unreach.org/socat/download/socat-2.0.0-b6.patch.gz

Credits
  Full credits to Catalin Mitrofan for finding and reporting this issue.
Comment 1 Jan Lieskovsky 2013-05-27 07:50:36 EDT
Upstream advisory:
  http://www.dest-unreach.org/socat/contrib/socat-secadv4.html
Comment 2 Jan Lieskovsky 2013-05-27 07:55:32 EDT
This issue affects the versions of the socat package, as shipped with Fedora release of 17 and 18. Please schedule an update.

--

This issue affects the versions of the socat package, as shipped with Fedora EPEL-5 and Fedora EPEL-6. Please schedule an update.
Comment 3 Jan Lieskovsky 2013-05-27 07:56:29 EDT
Created socat tracking bugs for this issue

Affects: fedora-all [bug 967539]
Affects: epel-all [bug 967540]
Comment 6 Fedora Update System 2013-06-09 23:22:39 EDT
socat-1.7.2.2-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-06-11 05:05:48 EDT
socat-1.7.2.2-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2013-06-11 05:09:50 EDT
socat-1.7.2.2-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2013-06-12 16:07:14 EDT
socat-1.7.2.2-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2013-06-12 16:07:45 EDT
socat-1.7.2.2-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.