sslh File Descriptor Exhaustion Vulnerability Causes Denial-of-Service

A vulnerability in sslh versions prior to 2.2.4 allows attackers to exhaust file descriptors, leading to a denial-of-service condition for legitimate users. This issue arises in the sslh-select and sslh-ev implementations, where UDP connections can be manipulated to keep file descriptors open. The exhaustion of file descriptors, which is limited to 1024, can cause the application to crash, creating a simple remote denial-of-service attack vector.

Impact

Exploitation of this vulnerability fills the application's file descriptor limit, causing legitimate connections to be denied. Once the limit is reached, sslh crashes due to a null pointer dereference, leading to a segmentation fault.

Reproduction

The vulnerability can be reproduced by sending a large number of UDP connections to an sslh-select or sslh-ev instance. Each connection should transmit a small amount of data, such as a single byte, to keep the connection active. This approach can be automated with a script or tool that generates the UDP traffic, effectively saturating the file descriptor limit before the connections are closed.

Remediation

Users can update sslh to version 2.2.4, which addresses this vulnerability.