Member
- Joined
- Oct 10, 2023
- Messages
- 133
- Thread Author
- #1
Detailed analysis: what vulnerabilities were found in Tor?
The developers of the popular tool for anonymous Internet surfing, Tor Browser, have released the results of an extensive security audit. The audit covered the main projects: Tor Browser, OONI Probe, rdsys, BridgeDB and Conjure. Experts from Cure53 conducted the audit from November 2022 to April 2023.
The audit revealed 9 vulnerabilities. Of these, two were of a critical nature, one vulnerability is considered to be of medium danger, while the remaining 6 were classified as insignificant. In addition, 10 technical flaws were found that were not directly related to security issues. However, the Tor code was found to meet the standards for secure programming.
Major vulnerabilities:
At the moment, all vulnerabilities have been fixed. In addition, additional security measures have been implemented, including authentication for all rdsys components and verification of digital signatures when uploading lists to the Tor Browser.
In addition to fixing vulnerabilities, a new version of Tor Browser 13.0.1 has been released, based on Firefox 115.4.0 ESR, which fixes 19 vulnerabilities . The Tor Browser version 13.0.1 for Android has been updated with vulnerability fixes from the Firefox 119 branch.
The developers of the popular tool for anonymous Internet surfing, Tor Browser, have released the results of an extensive security audit. The audit covered the main projects: Tor Browser, OONI Probe, rdsys, BridgeDB and Conjure. Experts from Cure53 conducted the audit from November 2022 to April 2023.
The audit revealed 9 vulnerabilities. Of these, two were of a critical nature, one vulnerability is considered to be of medium danger, while the remaining 6 were classified as insignificant. In addition, 10 technical flaws were found that were not directly related to security issues. However, the Tor code was found to meet the standards for secure programming.
Major vulnerabilities:
- First dangerous vulnerability in rdsys: The vulnerability was discovered in the rdsys backend, which is used to deliver various resources to users, including proxy lists and download links. The problem was that there was no authentication when accessing the registration resource handler. This allowed the attacker to register their malicious resource and provide it to users. The vulnerability could be exploited by sending an HTTP request to the rdsys handler.
- The second dangerous vulnerability in Tor Browser: The problem was related to the lack of digital signature verification when loading the list of bridges via rdsys and BridgeDB. Since this list is loaded before connecting to the anonymous Tor network, it is possible to substitute the contents of the list for attackers, for example, by intercepting the connection. This could lead to users connecting through compromised bridge nodes controlled by an attacker.
- Moderate vulnerability in rdsys: The vulnerability was detected in the rdsys subsystem in the build deployment script. It allowed an attacker to increase their privileges from the level of the nobody user to the rdsys user, if they had access to the server and could write to a directory with temporary files. Exploiting the vulnerability is limited to replacing the executable file placed in the /tmp directory. Obtaining rdsys user rights allows an attacker to make changes to executable files launched via rdsys.
- Low-risk vulnerabilities: Most of them were associated with the use of outdated libraries containing known vulnerabilities, or with the possibility of committing a denial of service. In Tor Browser, for example, it was possible to bypass the prohibition of JavaScript execution when setting the highest level of protection, there were no restrictions on downloading files, and a potential information leak through the user's home page, which allows you to track users between restarts.
At the moment, all vulnerabilities have been fixed. In addition, additional security measures have been implemented, including authentication for all rdsys components and verification of digital signatures when uploading lists to the Tor Browser.
In addition to fixing vulnerabilities, a new version of Tor Browser 13.0.1 has been released, based on Firefox 115.4.0 ESR, which fixes 19 vulnerabilities . The Tor Browser version 13.0.1 for Android has been updated with vulnerability fixes from the Firefox 119 branch.