CVE-2017-11565 in Tor
Summary
by MITRE
debian/tor.init in the Debian tor_0.2.9.11-1~deb9u1 package for Tor was designed to execute aa-exec from the standard system pathname if the apparmor package is installed, but implements this incorrectly (with a wrong assumption that the specific pathname would remain the same forever), which allows attackers to bypass intended AppArmor restrictions by leveraging the silent loss of this protection mechanism. NOTE: this does not affect systems, such as default Debian stretch installations, on which Tor startup relies on a systemd unit file (instead of this tor.init script).
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/06/2021
The vulnerability identified as CVE-2017-11565 represents a critical security flaw in the Debian tor package that undermines the intended AppArmor security protections for the Tor anonymity network. This issue specifically affects the debian/tor.init initialization script included in the tor_0.2.9.11-1~deb9u1 package, where the developers implemented a mechanism to execute aa-exec from the standard system pathname when the AppArmor package is installed. The flaw stems from an incorrect assumption that the specific pathname for aa-exec would remain constant and unchanged over time, creating a persistent security gap that attackers can exploit to bypass the intended AppArmor restrictions. The vulnerability demonstrates a classic case of path traversal or path resolution failure that compromises the security model designed to isolate Tor processes from potential system attacks.
The technical implementation of this vulnerability occurs through the improper handling of system path resolution within the init script, where the code assumes that aa-exec will always be located at a predetermined absolute path. When the AppArmor package is installed, the tor.init script attempts to invoke aa-exec to enforce security policies, but due to the hardcoded path assumption, it may fail to locate the executable at its expected location. This failure results in the AppArmor protection mechanism silently being disabled, leaving Tor processes running without the intended security constraints. The vulnerability is particularly dangerous because it operates silently, meaning that administrators remain unaware that their system security has been compromised. According to CWE standards, this represents a weakness in path resolution that can lead to privilege escalation and arbitrary code execution, while the ATT&CK framework would categorize this under privilege escalation techniques that leverage system configuration flaws.
The operational impact of CVE-2017-11565 extends beyond simple bypass of security controls, as it fundamentally weakens the security posture of systems running affected Tor versions. When AppArmor protections are disabled, malicious actors can potentially exploit the Tor service to perform unauthorized activities while maintaining anonymity, as the compromised system no longer enforces the security boundaries that were designed to prevent such access. This vulnerability affects systems where the traditional SysV init system is used for Tor startup, creating a scenario where the security benefits of AppArmor are nullified through a simple path resolution error. The silent nature of this bypass means that security monitoring systems may not detect the compromise, making it particularly dangerous for environments where Tor is used for legitimate privacy protection. Additionally, the vulnerability creates a persistent risk that remains active until the system is properly patched or the init script is manually corrected, as the flawed path assumption continues to cause the security mechanism to fail.
Systems that rely on systemd unit files for Tor startup are unaffected by this vulnerability, as the systemd implementation does not exhibit the same path resolution issues present in the traditional init script approach. This distinction highlights the importance of proper path handling in security-critical components and demonstrates how different system initialization mechanisms can have varying security implications. The recommended mitigations include updating to patched versions of the tor package where the path resolution has been corrected to properly handle dynamic system paths, or manually modifying the init script to use more robust path resolution techniques such as which or command -v to locate the aa-exec binary dynamically rather than relying on hardcoded paths. Security administrators should also implement monitoring to detect when AppArmor protections are unexpectedly disabled and conduct regular audits of system initialization scripts to identify similar path resolution flaws. The vulnerability serves as a reminder of the critical importance of proper path handling in security-sensitive code and the potential consequences when such handling is inadequate or assumes static system conditions that may change over time.