[tor-bugs] #24430 [Core Tor/Tor]: Fix TROVE-2017-013: Use-after-free in onion service v2 when rotating intro points (was: Fix TROVE-2017-013)

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Dec 1 14:02:32 UTC 2017 

#24430: Fix TROVE-2017-013: Use-after-free in onion service v2 when rotating intro
points
----------------------------+------------------------------------
 Reporter:  dgoulet         |          Owner:  (none)
     Type:  defect          |         Status:  closed
 Priority:  Medium          |      Milestone:  Tor: 0.3.3.x-final
Component:  Core Tor/Tor    |        Version:
 Severity:  Normal          |     Resolution:  fixed
 Keywords:  trove-2017-013  |  Actual Points:
Parent ID:                  |         Points:
 Reviewer:                  |        Sponsor:
----------------------------+------------------------------------
Changes (by nickm):

 * status:  new => closed
 * resolution:   => fixed


Old description:

> Ticket for high severity issue TROVE-2017-013
>
> See https://trac.torproject.org/projects/tor/wiki/TROVE

New description:

 Ticket for high severity issue TROVE-2017-013

 See https://trac.torproject.org/projects/tor/wiki/TROVE

 {{{
 TROVE-2017-13: Use-after-free in onion service v2 when rotating intro
 points

 SEVERITY: High

 ALSO TRACKED AS: CVE-2017-8823

 DESCRIPTION

     An onion service v2 expires its intro points regularly at least
     once very 24 hours. While removing an intro point, if no circuit
     is found, it is put in a retry list. Then just after, if it is
     removed because it is expiring, it is put in the expiring list.

     Tor then tries to open a circuit to that node and, on failure, it
     will free the intro point without removing it from the expiring
     list ultimately leading to a use-after-free.

     This can only happens in specific conditions which are that the
     service's is unable to launch circuits, this can happen if it is
     missing descriptors for instance and if the intro points was just
     being expired. It only affects version 2 services.

 MITIGATION NOTES:

     1. If you are not running an onion service, this doesn't affect
        you.

     2. If you are running tor version <= 0.2.6, this doesn't affect
        you.

     3. We believe this to be quite difficult to trigger remotely
        because of the specific conditions that tor needs to be
        in. However, it could be possible but hard to be induced by a
        malicious Guard node suspecting a connection to be an onion
        service.

 ACKNOWLEDGMENTS:

     Thanks to an anonymous reporter on our bugtracker that opened a
     ticket which lead to the discovery of this issue.

 FIX:

     Anybody running an onion service on an affected version should
     upgrade to one of the releases with the fix for this issue:
     0.2.8.17, 0.2.9.14, 0.3.0.13, 0.3.1.9, or 0.3.2.6-alpha.
 }}}

--

Comment:

 Fixed in today's security releases.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/24430#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list