The Tor Software Has Two Potential Denial Of Service Vulnerabilities, Fix Is Coming Next Week

From LinuxReviews
Jump to navigationJump to search
Tor.png

Current and previous versions for the Tor Onion Router software have two undisclosed Denial Of Service vulnerabilities with the potential to cause problems for the Tor networks authority servers. The Torproject will release a new version with a fix "early next week". Everyone who is using Tor Browser or running a Tor node should upgrade when it becomes available.

written by 윤채경 (Yoon Chae-kyung)  2021-03-09 - last edited 2021-03-13. © CC BY

Tor-browser-10.0.12.jpg
Tor Browser v10.0.12 (Mozilla Firefox 78.8.0esr)

The Torproject will release an updated version of the Tor Onion Router software "Early next week -- around Tuesday" to address who Denial Of Service Vulnerabilities identified as TROVE-2021-001 and TROVE-2021-002. One is classified as "High" and one is classified as "Medium". The "TROVE: Tor Registry Of Vulnerabilities and Exposures" web page has no further information at this time.

Computer scientist Nick Mathewson gave these details about the vulnerabilities on the Tor-talk mailing list on March 8th, 2021:

"The impact of these issues is that a remote attacker participating in the directory protocol can cause a denial of service attack against Tor instances. Once the new versions are released, we will recommend that all relays and authorities should upgrade. The impact is worst for directory authorities: we have already distributed patches to the authority operators and encouraged them to upgrade.

To the best of our knowledge these vulnerabilities are not being exploited in the wild."

Nick Mathewson
on Tor-Talk, March 8th, 2021

Nick Mathewson was very tight-lipped about the details around the two potential attacks when we asked him at #tor on irc.oftc.net. He did clarify that:

"One of them would be VERY noticeable, the other would show up as a long stall with high CPU consumption.

It would only happen on authorities.

I'll post more information next week once the fixes are out."

Nick Mathewson
on #tor on irc.oftc.net March 9th, 2021

There is no cause for alarm if you are using the Tor Browser for human rights work or other work where secure communications is key; these vulnerabilities are, as we understand it, only something that could potentially cause problems with the directory authority servers the Tor network relies on.

Updated versions of the Tor Browser, which includes the Tor routing software, will become available at torproject.org/download/ and updated source code for the Tor client will become available at torproject.org/download/tor/. "Early next week" would mean somewhere between March 15th and March 18th. You should probably make a note of ensuring that updated packages become available if you happen be the maintainer of a GNU/Linux distributions Tor package.

0.00
(0 votes)

Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.