Opened 3 years ago

Closed 2 years ago

#24246 closed defect (fixed)

Fix TROVE-2017-011: An attacker can make tor ask for a password — at Version 1

Reported by: nickm Owned by: nickm
Priority: Medium Milestone: Tor: 0.3.3.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: trove-2017-011
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by nickm)

TROVE-2017-011: An attacker can make Tor ask for a password


ALSO TRACKED AS: OSS-Fuzz testcase 6360145429790720, CVE-2017-8821

CREDIT: This was found by OSS-Fuzz.


  All over our code, we accept parse RSA public keys in the "PEM"
  format, such as:

  -----END RSA PUBLIC KEY-----

  But if you pass OpenSSL a public key that's suitably constructed, it
  will ask for a password.  This applies to public keys as well as
  private keys!

  If this "key" is used in a microdescriptor, an onion service
  descriptor, a relay or bridge descriptor, or anywhere, then OpenSSL
  will pause, and ask for a passphrase.  This blocks Tor, causing a
  denial of service attack. If it causes an onion service or busy client
  to block, this could aid in traffic analysis.

  Tors that are running as a daemon (without a terminal) or inside
  another process may not be vulnerable -- it depends on OpenSSL's
  behavior when it tries to ask for a password.


  Everyone affected should upgrade to one of the releases with the fix
  for this issue:,,,,, or

Child Tickets

Change History (1)

comment:1 Changed 2 years ago by nickm

Description: modified (diff)
Resolution: fixed
Status: assignedclosed
Summary: Fix TROVE-2017-011Fix TROVE-2017-011: An attacker can make tor ask for a password

Fixed in today's security releases.

Note: See TracTickets for help on using tickets.