Changes between Initial Version and Version 1 of Ticket #24430


Ignore:
Timestamp:
Dec 1, 2017, 2:02:32 PM (20 months ago)
Author:
nickm
Comment:

Fixed in today's security releases.

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #24430

    • Property Status changed from new to closed
    • Property Resolution changed from to fixed
    • Property Summary changed from Fix TROVE-2017-013 to Fix TROVE-2017-013: Use-after-free in onion service v2 when rotating intro points
  • Ticket #24430 – Description

    initial v1  
    22
    33See https://trac.torproject.org/projects/tor/wiki/TROVE
     4
     5{{{
     6TROVE-2017-13: Use-after-free in onion service v2 when rotating intro points
     7
     8SEVERITY: High
     9
     10ALSO TRACKED AS: CVE-2017-8823
     11
     12DESCRIPTION
     13
     14    An onion service v2 expires its intro points regularly at least
     15    once very 24 hours. While removing an intro point, if no circuit
     16    is found, it is put in a retry list. Then just after, if it is
     17    removed because it is expiring, it is put in the expiring list.
     18
     19    Tor then tries to open a circuit to that node and, on failure, it
     20    will free the intro point without removing it from the expiring
     21    list ultimately leading to a use-after-free.
     22
     23    This can only happens in specific conditions which are that the
     24    service's is unable to launch circuits, this can happen if it is
     25    missing descriptors for instance and if the intro points was just
     26    being expired. It only affects version 2 services.
     27
     28MITIGATION NOTES:
     29
     30    1. If you are not running an onion service, this doesn't affect
     31       you.
     32
     33    2. If you are running tor version <= 0.2.6, this doesn't affect
     34       you.
     35
     36    3. We believe this to be quite difficult to trigger remotely
     37       because of the specific conditions that tor needs to be
     38       in. However, it could be possible but hard to be induced by a
     39       malicious Guard node suspecting a connection to be an onion
     40       service.
     41
     42ACKNOWLEDGMENTS:
     43
     44    Thanks to an anonymous reporter on our bugtracker that opened a
     45    ticket which lead to the discovery of this issue.
     46
     47FIX:
     48
     49    Anybody running an onion service on an affected version should
     50    upgrade to one of the releases with the fix for this issue:
     51    0.2.8.17, 0.2.9.14, 0.3.0.13, 0.3.1.9, or 0.3.2.6-alpha.
     52}}}