The Tor Software Has Two Potential Denial Of Service Vulnerabilities, Fix Is Coming Next Week
Current and previous versions for the Tor Onion Router software have two undisclosed Denial Of Service vulnerabilities with the potential to cause problems for the Tor networks authority servers. The Torproject will release a new version with a fix "early next week". Everyone who is using Tor Browser or running a Tor node should upgrade when it becomes available.
The Torproject will release an updated version of the Tor Onion Router software "Early next week -- around Tuesday" to address who Denial Of Service Vulnerabilities identified as
TROVE-2021-002. One is classified as "High" and one is classified as "Medium". The "TROVE: Tor Registry Of Vulnerabilities and Exposures" web page has no further information at this time.
Computer scientist Nick Mathewson gave these details about the vulnerabilities on the Tor-talk mailing list on March 8th, 2021:
"The impact of these issues is that a remote attacker participating in the directory protocol can cause a denial of service attack against Tor instances. Once the new versions are released, we will recommend that all relays and authorities should upgrade. The impact is worst for directory authorities: we have already distributed patches to the authority operators and encouraged them to upgrade.
To the best of our knowledge these vulnerabilities are not being exploited in the wild."
Nick Mathewson was very tight-lipped about the details around the two potential attacks when we asked him at
irc.oftc.net. He did clarify that:
"One of them would be VERY noticeable, the other would show up as a long stall with high CPU consumption.
It would only happen on authorities.
I'll post more information next week once the fixes are out."
There is no cause for alarm if you are using the Tor Browser for human rights work or other work where secure communications is key; these vulnerabilities are, as we understand it, only something that could potentially cause problems with the directory authority servers the Tor network relies on.
Updated versions of the Tor Browser, which includes the Tor routing software, will become available at torproject.org/download/ and updated source code for the Tor client will become available at torproject.org/download/tor/. "Early next week" would mean somewhere between March 15th and March 18th. You should probably make a note of ensuring that updated packages become available if you happen be the maintainer of a GNU/Linux distributions Tor package.