Tor up to 0.2.4.22 Cell Protocol relay_early information disclosure
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 3.2 | $0-$5k | 0.00 |
A vulnerability was found in Tor up to 0.2.4.22 (Network Encryption Software) and classified as problematic. Affected by this issue is the function relay_early of the component Cell Protocol Handler. The manipulation with an unknown input leads to a information disclosure vulnerability. Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality.
The weakness was disclosed 07/30/2014 by arma as Tor security advisory: "relay early" traffic confirmation attack as confirmed blog post (Website). The advisory is available at blog.torproject.org. The blog post contains:
We believe they used a combination of two classes of attacks: a traffic confirmation attack and a Sybil attack. A traffic confirmation attack is possible when the attacker controls or observes the relays on both ends of a Tor circuit and then compares traffic timing, volume, or other characteristics to conclude that the two relays are indeed on the same circuit. (...) the second class of attack they used, in conjunction with their traffic confirmation attack, was a standard Sybil attack — they signed up around 115 fast non-exit relays, all running on 50.7.0.0/16 or 204.45.0.0/16. Together these relays summed to about 6.4% of the Guard capacity in the network. Then, in part because of our current guard rotation parameters, these relays became entry guards for a significant chunk of users over their five months of operation.This vulnerability is handled as CVE-2014-5117 since 07/30/2014. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details as well as a private exploit are known. This vulnerability is assigned to T1592 by the MITRE ATT&CK project.
After even before and not, there has been an exploit disclosed. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 181 days. During that time the estimated underground price was around $5k-$25k. The vulnerability scanner Nessus provides a plugin with the ID 77038 (Mandriva Linux Security Advisory : tor (MDVSA-2014:150)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Mandriva Local Security Checks. This vulnerability was actively exploited from January 30, 2014 through July 4, 2014, possibly to determine both users and publishers of hidden service descriptors.
Upgrading to version 0.2.4.23 or 0.2.5.6-alpha eliminates this vulnerability.
The vulnerability is also documented in the databases at X-Force (95053) and Tenable (77038).
Product
Type
Name
Version
- 0.2.4.0
- 0.2.4.1
- 0.2.4.2
- 0.2.4.3
- 0.2.4.4
- 0.2.4.5
- 0.2.4.6
- 0.2.4.7
- 0.2.4.8
- 0.2.4.9
- 0.2.4.10
- 0.2.4.11
- 0.2.4.12
- 0.2.4.13
- 0.2.4.14
- 0.2.4.15
- 0.2.4.16
- 0.2.4.17
- 0.2.4.18
- 0.2.4.19
- 0.2.4.20
- 0.2.4.21
- 0.2.4.22
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 3.7VulDB Meta Temp Score: 3.2
VulDB Base Score: 3.7
VulDB Temp Score: 3.2
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Information disclosureCWE: CWE-200 / CWE-284 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Access: Private
Status: Proof-of-Concept
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Nessus ID: 77038
Nessus Name: Mandriva Linux Security Advisory : tor (MDVSA-2014:150)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 702993
OpenVAS Name: Debian Security Advisory DSA 2993-1 (tor - security update)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: Tor 0.2.4.23/0.2.5.6-alpha
Timeline
01/30/2014 🔍07/30/2014 🔍
07/30/2014 🔍
07/30/2014 🔍
07/30/2014 🔍
07/30/2014 🔍
07/30/2014 🔍
07/31/2014 🔍
08/01/2014 🔍
08/03/2014 🔍
08/07/2014 🔍
02/10/2022 🔍
Sources
Advisory: Tor security advisory: "relay early" traffic confirmation attackResearcher: arma
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2014-5117 (🔍)
OVAL: 🔍
X-Force: 95053 - Tor RELAY and RELAY_EARLY weak security, Medium Risk
SecurityTracker: 1030655 - Tor 'relay_early' Cell Protocol Lets Certain Remote Users Conduct Traffic Confirmation Attacks
Vulnerability Center: 45660 - Tor Before 0.2.4.23 and 0.2.5 Before 0.2.5.6-alpha Remote Information Disclosure Vulnerability, Medium
SecurityFocus: 68968 - Tor CVE-2014-5117 RELAY_EARLY Security Vulnerability
Secunia: 60647 - Debian update for tor, Not Critical
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 07/31/2014 14:50Updated: 02/10/2022 03:20
Changes: 07/31/2014 14:50 (93), 06/03/2017 07:41 (3), 02/10/2022 03:12 (3), 02/10/2022 03:20 (1)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.