In-depth analysis: what Tor security holes were found?
The creators of Tor Browser, a popular tool for browsing the Internet anonymously, have made the results of a full security audit public. The main projects that were checked out were Tor Browser, OONI Probe, rdsys, BridgeDB, and Conjure. From November 2022 to April 2023, the review was done by experts from Cure53.
Nine security holes were found during the scan. Two of these vulnerabilities were seriously flawed, one was thought to be moderately dangerous, and the other six were deemed minor. Ten technical flaws that were not directly related to security issues were also found. But it has been found that the Tor code follows the rules for safe programming.
Most important weaknesses:
- The first rdsys vulnerability that could be dangerous: A weakness was found in the rdsys backend, which sends resources like proxy lists and download links to users. When trying to get to the resource registration handler, there wasn't enough authentication. This made it possible for the attacker to list his harmful resource and let users use it. By sending an HTTP request to the rdsys handler, the flaw could be taken advantage of.
- The second dangerous flaw in Tor Browser had to do with the fact that digital signatures weren't being checked when rdsys and BridgeDB loaded a list of bridges. Since this list is loaded before connecting to the Tor anonymous network, attackers could change what's on it by, say, interfering with the connection. This could mean that users connect through bridge nodes that have been hacked and are now controlled by the attacker.
- Medium severity vulnerability in rdsys: A weakness was found in the rdsys subsystem in the script for setting up the assembly. As long as the attacker had access to the server and could write to the temporary files directory, he could change his account from user nobody to user rdsys. To take advantage of the flaw, the executable file in the /tmp directory must be replaced. If an attacker gets access to the rdsys user account, they can change executable files that are run through rdsys.
Everything that could go wrong has been fixed so far. Extra safety measures have also been put in place, such as authentication for all rdsys components and checking digital signatures when adding lists to the Tor Browser.
Along with fixing 19 vulnerabilities, a new version of Tor Browser 13.0.1 was released. It was based on Firefox 115.4.0 ESR. Fixed security holes in Firefox branch 119 have been moved to Tor Browser 13.0.1 for Android.