#24430: Fix TROVE-2017-013: Use-after-free in onion service v2 when rotating intro points ----------------------------+------------------------------------ Reporter: dgoulet | Owner: (none) Type: defect | Status: closed Priority: Medium | Milestone: Tor: 0.3.3.x-final Component: Core Tor/Tor | Version: Severity: Normal | Resolution: fixed Keywords: trove-2017-013 | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: ----------------------------+------------------------------------ Changes (by nickm):
* status: new => closed * resolution: => fixed Old description: > Ticket for high severity issue TROVE-2017-013 > > See https://trac.torproject.org/projects/tor/wiki/TROVE New description: Ticket for high severity issue TROVE-2017-013 See https://trac.torproject.org/projects/tor/wiki/TROVE {{{ TROVE-2017-13: Use-after-free in onion service v2 when rotating intro points SEVERITY: High ALSO TRACKED AS: CVE-2017-8823 DESCRIPTION An onion service v2 expires its intro points regularly at least once very 24 hours. While removing an intro point, if no circuit is found, it is put in a retry list. Then just after, if it is removed because it is expiring, it is put in the expiring list. Tor then tries to open a circuit to that node and, on failure, it will free the intro point without removing it from the expiring list ultimately leading to a use-after-free. This can only happens in specific conditions which are that the service's is unable to launch circuits, this can happen if it is missing descriptors for instance and if the intro points was just being expired. It only affects version 2 services. MITIGATION NOTES: 1. If you are not running an onion service, this doesn't affect you. 2. If you are running tor version <= 0.2.6, this doesn't affect you. 3. We believe this to be quite difficult to trigger remotely because of the specific conditions that tor needs to be in. However, it could be possible but hard to be induced by a malicious Guard node suspecting a connection to be an onion service. ACKNOWLEDGMENTS: Thanks to an anonymous reporter on our bugtracker that opened a ticket which lead to the discovery of this issue. FIX: Anybody running an onion service on an affected version should upgrade to one of the releases with the fix for this issue: 0.2.8.17, 0.2.9.14, 0.3.0.13, 0.3.1.9, or 0.3.2.6-alpha. }}} -- Comment: Fixed in today's security releases. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24430#comment:1> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs