[tor-bugs] #24246 [Core Tor/Tor]: Fix TROVE-2017-011: An attacker can make tor ask for a password (was: Fix TROVE-2017-011)

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Dec 1 14:01:00 UTC 2017 

#24246: Fix TROVE-2017-011: An attacker can make tor ask for a password
----------------------------+------------------------------------
 Reporter:  nickm           |          Owner:  nickm
     Type:  defect          |         Status:  closed
 Priority:  Medium          |      Milestone:  Tor: 0.3.3.x-final
Component:  Core Tor/Tor    |        Version:
 Severity:  Normal          |     Resolution:  fixed
 Keywords:  trove-2017-011  |  Actual Points:
Parent ID:                  |         Points:
 Reviewer:                  |        Sponsor:
----------------------------+------------------------------------
Changes (by nickm):

 * status:  assigned => closed
 * resolution:   => fixed


Old description:



New description:

 {{{
 TROVE-2017-011: An attacker can make Tor ask for a password

 SEVERITY: High

 ALSO TRACKED AS: OSS-Fuzz testcase 6360145429790720, CVE-2017-8821

 CREDIT: This was found by OSS-Fuzz.

 SUMMARY:

   All over our code, we accept parse RSA public keys in the "PEM"
   format, such as:

   -----BEGIN RSA PUBLIC KEY-----
   SXQncyBjb29sIHRoYXQgeW91IHdlcmUgY29uY2VybmVkIGVub3VnaCB0byBjaGVj
   aywgYnV0IHRoZXJlIGlzIGluIGZhY3Qgbm8gc2VjcmV0IGluZm9ybWF0aW9uIGhl
   cmUuICBUaGlzIHNwYWNlIGludGVudGlvbmFsbHkgbGVmdCBibGFuay4=\n
   -----END RSA PUBLIC KEY-----

   But if you pass OpenSSL a public key that's suitably constructed, it
   will ask for a password.  This applies to public keys as well as
   private keys!

   If this "key" is used in a microdescriptor, an onion service
   descriptor, a relay or bridge descriptor, or anywhere, then OpenSSL
   will pause, and ask for a passphrase.  This blocks Tor, causing a
   denial of service attack. If it causes an onion service or busy client
   to block, this could aid in traffic analysis.

   Tors that are running as a daemon (without a terminal) or inside
   another process may not be vulnerable -- it depends on OpenSSL's
   behavior when it tries to ask for a password.

 FIX:

   Everyone affected should upgrade to one of the releases with the fix
   for this issue: 0.2.5.16, 0.2.8.17, 0.2.9.14, 0.3.0.13, 0.3.1.9, or
   0.3.2.6-alpha.

 }}}

--

Comment:

 Fixed in today's security releases.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24246#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list