Opened 3 weeks ago

Closed 2 weeks ago

#24430 closed defect (fixed)

Fix TROVE-2017-013: Use-after-free in onion service v2 when rotating intro points

Reported by: dgoulet Owned by:
Priority: Medium Milestone: Tor: 0.3.3.x-final
Component: Core Tor/Tor Version:
Severity: Normal Keywords: trove-2017-013
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by nickm)

Ticket for high severity issue TROVE-2017-013

See https://trac.torproject.org/projects/tor/wiki/TROVE

TROVE-2017-13: Use-after-free in onion service v2 when rotating intro points

SEVERITY: High

ALSO TRACKED AS: CVE-2017-8823

DESCRIPTION

    An onion service v2 expires its intro points regularly at least
    once very 24 hours. While removing an intro point, if no circuit
    is found, it is put in a retry list. Then just after, if it is
    removed because it is expiring, it is put in the expiring list.

    Tor then tries to open a circuit to that node and, on failure, it
    will free the intro point without removing it from the expiring
    list ultimately leading to a use-after-free.

    This can only happens in specific conditions which are that the
    service's is unable to launch circuits, this can happen if it is
    missing descriptors for instance and if the intro points was just
    being expired. It only affects version 2 services.

MITIGATION NOTES:

    1. If you are not running an onion service, this doesn't affect
       you.

    2. If you are running tor version <= 0.2.6, this doesn't affect
       you.

    3. We believe this to be quite difficult to trigger remotely
       because of the specific conditions that tor needs to be
       in. However, it could be possible but hard to be induced by a
       malicious Guard node suspecting a connection to be an onion
       service.

ACKNOWLEDGMENTS:

    Thanks to an anonymous reporter on our bugtracker that opened a
    ticket which lead to the discovery of this issue.

FIX:

    Anybody running an onion service on an affected version should
    upgrade to one of the releases with the fix for this issue:
    0.2.8.17, 0.2.9.14, 0.3.0.13, 0.3.1.9, or 0.3.2.6-alpha.

Child Tickets

Change History (1)

comment:1 Changed 2 weeks ago by nickm

Description: modified (diff)
Resolution: fixed
Status: newclosed
Summary: Fix TROVE-2017-013Fix TROVE-2017-013: Use-after-free in onion service v2 when rotating intro points

Fixed in today's security releases.

Note: See TracTickets for help on using tickets.