The TorProject Urges All Relay Operators To Upgrade To 0.4.5.7+ Due To Denial-Of-Service Issues
The TorProject released three new versions of the Tor Onion Router this week, 0.3.5.14, 0.4.4.8 and 0.4.5.7. These new versions address two different denial-of-service issues. One of them could be very damaging to directory authority nodes, and only them, and the other could cause problems for both Tor relays and authority nodes. Everyone running a Tor node or relay should upgrade.
The Torproject, the organization behind The Onion Router (tor), has disclosed two unfortunate denial-of-service vulnerabilities in the Tor router software. They have just released three new stable versions, 0.3.5.14, 0.4.4.8 and 0.4.5.7, and a new 0.4.6.1-alpha release, addressing these vulnerabilities.
Everyone running a Tor relay should upgrade to one of the new releases.
You do not need to care, not even a little, if you are a casual end-user using the Tor Browser for human rights work or just to browse the web anonymously. The Tor Browser does include a Tor client but it is not configured to act as a Tor relay by default (it can be and you would know if you have done that). These vulnerabilities are only a concern if you are running the Tor software configured as a relay.
The TorProject describes one of the vulnerabilities as having the potential to seriously harm the Tor authorities (TROVE-2021-002). The other has the potential to cause high CPU usage on Tor relays as well as directory authority nodes (TROVE-2021-001).
"One of these vulnerabilities (TROVE-2021-001) would allow an attacker who can send directory data to a Tor instance to force that Tor instance to consume huge amounts of CPU. This is easiest to exploit against authorities, since anybody can upload to them, but directory caches could also exploit this vulnerability against relays or clients when they download.
The other vulnerability (TROVE-2021-002) only affects directory authorities, and would allow an attacker to remotely crash the authority with an assertion failure. Patches have already been provided to the authority operators, to help ensure network stability."
The new versions come with a new Geo-IP data source in addition to the vulnerability fixes. Previous versions of Tor used the Maxmind GeoLite2 database to find the geographical location of an IP address. Maxmind changed their license terms in 2019. It is still technically free, but you now need to register and get a user-name and password to legally download "free" updates. The new Tor releases use the IPFire Location Database instead of the increasingly outdated Maxmind database shipped with previous versions.
You can acquire the source code for the latest Tor onion router software from dist.torproject.org. You really should upgrade to one of the new versions if you are running a Tor relay.