Tor Browser Updates Address Two DoS Vulnerabilities

The developers of the Tor Browser have released new maintenance versions (0.3.5.10, 0.4.1.9, 0.4.2.7, and 0.4.3.3-alpha) to fix two security vulnerabilities.

Details of the Vulnerabilities

• The first vulnerability (CVE-2020-10592): This issue could be exploited by any attacker to cause a denial of service (DoS) on Tor nodes. The attack can also be launched from Tor directory servers to target connected clients and hidden services. An attacker could create a high CPU load, disrupting normal operation for several seconds or minutes, and could repeat the attack multiple times. This problem affects all versions of the browser starting from release 0.2.1.5-alpha.
• The second vulnerability (CVE-2020-10593): This is a remotely exploitable memory leak that occurs when additional cells are negotiated twice for the same circuit.

Unresolved Issue in NoScript Extension

In Tor Browser version 9.0.6, there remains an unresolved vulnerability in the NoScript extension that allows JavaScript code to run even in the “Safest” security mode. An attempt was made to fix this issue in NoScript 11.0.17, but the proposed solution did not fully resolve the problem. Since Tor includes automatic updates for NoScript, users will receive the fix as soon as it becomes available.

Sources and Additional Information

• For more updates, follow our other channels and partners.