Tor Browser and Tor Infrastructure Audit Results: Key Vulnerabilities and Fixes

By Riley ThompsonTechnology News

Audit Results for Tor Browser and Tor Infrastructure Components

The developers of the anonymous Tor network have published the results of a security audit for the Tor Browser and several related tools developed by the project, including OONI Probe, rdsys, BridgeDB, and Conjure, which are used to bypass censorship. The audit was conducted by Cure53 from November 2022 to April 2023.

Summary of Findings

During the audit, nine vulnerabilities were identified: two were classified as critical, one as medium, and six as low severity. Additionally, ten issues were found that were not related to security but were considered general code improvements. Overall, the Tor project’s code was noted to follow secure programming practices.

Critical Vulnerabilities

  • rdsys Backend Authentication Flaw: The first critical vulnerability was found in the backend of the distributed rdsys system, which delivers resources like proxy lists and download links to censored users. The vulnerability was due to a lack of authentication when accessing the resource registration handler, allowing an attacker to register their own malicious resource for delivery to users. Exploitation involved sending an HTTP request to the rdsys handler.
  • Tor Browser Bridge List Signature Check: The second critical vulnerability was found in Tor Browser, caused by the absence of a digital signature check when receiving the bridge node list via rdsys and BridgeDB. Since the list is loaded before connecting to the Tor network, the lack of cryptographic signature verification allowed an attacker to alter the list’s contents, for example, by intercepting the connection or compromising the server distributing the list. A successful attack could connect users through a compromised bridge node controlled by the attacker.

Medium Severity Vulnerability

A medium-severity vulnerability was present in the rdsys subsystem’s deployment script. It allowed an attacker to escalate privileges from the “nobody” user to the “rdsys” user if they had server access and write permissions to the temporary files directory. Exploitation involved replacing an executable file in the /tmp directory. Gaining “rdsys” user rights would let the attacker modify executables run by rdsys.

Low Severity Vulnerabilities

Most low-severity vulnerabilities were related to the use of outdated dependencies with known vulnerabilities or the potential for denial-of-service attacks. Minor issues in Tor Browser included:

  • The ability to bypass JavaScript execution restrictions at the highest security level
  • Lack of file download restrictions
  • Potential information leakage through the user’s homepage, which could allow tracking between browser restarts

Remediation and Updates

All identified vulnerabilities have now been fixed. Notably, authentication has been implemented for all rdsys handlers, and digital signature verification has been added for bridge lists loaded in Tor Browser.

Additional Updates

Additionally, Tor Browser 13.0.1 has been released. This version is synchronized with the Firefox 115.4.0 ESR codebase, which addresses 19 vulnerabilities (13 of which are critical). The Android version of Tor Browser 13.0.1 also includes security fixes from Firefox 119.

Leave a Reply