[tor-bugs] #24333 [Core Tor/Tor]: Fix TROVE-2017-012: Relays can pick themselves in a circuit path (was: Fix TROVE-2017-012)

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Dec 1 14:01:50 UTC 2017 

#24333: Fix TROVE-2017-012:  Relays can pick themselves in a circuit path
----------------------------+------------------------------------
 Reporter:  teor            |          Owner:  (none)
     Type:  defect          |         Status:  closed
 Priority:  Medium          |      Milestone:  Tor: 0.3.3.x-final
Component:  Core Tor/Tor    |        Version:
 Severity:  Normal          |     Resolution:  fixed
 Keywords:  trove-2017-011  |  Actual Points:
Parent ID:                  |         Points:
 Reviewer:                  |        Sponsor:
----------------------------+------------------------------------
Changes (by nickm):

 * status:  new => closed
 * resolution:   => fixed


Old description:

> Ticket for medium severity issue TROVE-2017-012
>
> See https://trac.torproject.org/projects/tor/wiki/TROVE

New description:

 Ticket for medium severity issue TROVE-2017-012

 See https://trac.torproject.org/projects/tor/wiki/TROVE

 {{{
 TROVE-2017-012: Relays can pick themselves in a circuit path

 SEVERITY: Medium

 ALSO TRACKED AS: CVE-2017-8822

 DESCRIPTION

     A relay can open circuits for reachability purposes, preemptive
     Exit circuits or possible onion service client usage. If a relay
     doesn't have the descriptors of all the relays in the network, it
     is possible for the relay to pick itself in a circuit path like so
     (R1: Relay, G: Guard, E: Exit):

         R1 -> G -> R1 -> E

     This leads to a log warning on the Guard node and the circuit
     being closed immediately because tor doesn't allow to extend to
     the previous node.

     Furthermore, a relay can also pick itself as a primary guard,
     leading to it being unable to open any circuits for a while, until
     enough failures have been recorded and the guard is switched.

     This can only happens if the relay doesn't have all descriptors
     downloaded yet, and if it considers itself in the consensus.

     This affects version >= 0.2.0.x series which is basically every
     relay on the network.

 MITIGATION NOTES:

     1. If you are using tor but it is not configured as a relay, this
        doesn't affect you.

     2. This can have anonymity consequences if you are running a
        onion service and a relay at the same time on the same tor
        instance. It is something we do NOT recommend in the first
        place, so: avoid doing this.

 ACKNOWLEDGMENTS:

    Thanks to the Tor network team members who tracked this down!

 FIX:

    Everyone affected should upgrade to one of the releases with the fix
    for this issue: 0.2.5.16, 0.2.8.17, 0.2.9.14, 0.3.0.13, 0.3.1.9, or
    0.3.2.6-alpha.
 }}}

--

Comment:

 Fixed in today's security releases.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24333#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list