[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #24246 [Core Tor/Tor]: Fix TROVE-2017-011: An attacker can make tor ask for a password (was: Fix TROVE-2017-011)
#24246: Fix TROVE-2017-011: An attacker can make tor ask for a password
----------------------------+------------------------------------
Reporter: nickm | Owner: nickm
Type: defect | Status: closed
Priority: Medium | Milestone: Tor: 0.3.3.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution: fixed
Keywords: trove-2017-011 | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
----------------------------+------------------------------------
Changes (by nickm):
* status: assigned => closed
* resolution: => fixed
Old description:
New description:
{{{
TROVE-2017-011: An attacker can make Tor ask for a password
SEVERITY: High
ALSO TRACKED AS: OSS-Fuzz testcase 6360145429790720, CVE-2017-8821
CREDIT: This was found by OSS-Fuzz.
SUMMARY:
All over our code, we accept parse RSA public keys in the "PEM"
format, such as:
-----BEGIN RSA PUBLIC KEY-----
SXQncyBjb29sIHRoYXQgeW91IHdlcmUgY29uY2VybmVkIGVub3VnaCB0byBjaGVj
aywgYnV0IHRoZXJlIGlzIGluIGZhY3Qgbm8gc2VjcmV0IGluZm9ybWF0aW9uIGhl
cmUuICBUaGlzIHNwYWNlIGludGVudGlvbmFsbHkgbGVmdCBibGFuay4=\n
-----END RSA PUBLIC KEY-----
But if you pass OpenSSL a public key that's suitably constructed, it
will ask for a password. This applies to public keys as well as
private keys!
If this "key" is used in a microdescriptor, an onion service
descriptor, a relay or bridge descriptor, or anywhere, then OpenSSL
will pause, and ask for a passphrase. This blocks Tor, causing a
denial of service attack. If it causes an onion service or busy client
to block, this could aid in traffic analysis.
Tors that are running as a daemon (without a terminal) or inside
another process may not be vulnerable -- it depends on OpenSSL's
behavior when it tries to ask for a password.
FIX:
Everyone affected should upgrade to one of the releases with the fix
for this issue: 0.2.5.16, 0.2.8.17, 0.2.9.14, 0.3.0.13, 0.3.1.9, or
0.3.2.6-alpha.
}}}
--
Comment:
Fixed in today's security releases.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24246#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs