Otherwise Patched Vulnerability in Socat Networking Service could Affect its Encryption Capabilities

Socat, a *NIX-based OSs' command-line service, lets developers to construct linkages in a network form with different protocols and ports. A particular feature which makes it outstanding compared to the earlier scheme of netcat is the way it hosts streams of encrypted data.

The service happens to be rich in features and also more complex even as it is netcat in re-implemented form. The netcat performs networking across platforms thereby creating inbound and outbound connections across various protocols/ports. Socat as well earned name as a network debugging tool.

The service employs a key exchange technique called DH (Diffie-Hellman) that basically uses one prime number for gaining shared secrets pertaining to chief exchanges. Apparently the 1024-bit DH factor that Socat utilized wasn't really any prime number. Computerworld posted this dated February 3, 2016.

In one security advisory issued 2nd February 2016, Microsoft Vulnerability Research Group's Santiago Zanella-Beguelin just found a problem relating to Socat's creation of channels for encrypted communication.

The advisory tells that within the OpenSSL enforcement of address, the 1024-bit DH factor wasn't a prime, continuing that a main exchange's cryptographic strength was weaker when relying on these parameters compared to what could be obtained via the utilization of prime number.

However, it was possible to rectify the problem through Socat versions 2.0.0-b9 and 1.7.3.1 that substitute the previous 2048-bit DH parameter, which's really certain prime number. Immediately a debate erupted among security professionals doubting if this mistake in cryptographic implementation had been intentionally committed. Tentatively, people can overcome the security flaw via turning off Diffie-Hellmann ciphers.

Gerhard Rieger developer of Socat wrote that the utility didn't function within the Federal Information Processing Standard (FIPS) form since it was necessary to have 1024 rather than 512-bit DH prime. The code was included last year during January, while Rieger removed it just some days back.

Rieger's explanation doesn't really hold technical weight, as it in fact mitigates Socat's encryption abilities. Whether purposeful else simply an arbitrary bug-fix, the instance merely reflects that schemes of open-source kind are not by default safeguarded from malware like FOSS community frequently cherishes in boasting.

» SPAMfighter News - 2/10/2016