CVE-2018-0490 in Tor
Summary
by MITRE
An issue was discovered in Tor before 0.2.9.15, 0.3.1.x before 0.3.1.10, and 0.3.2.x before 0.3.2.10. The directory-authority protocol-list subprotocol implementation allows remote attackers to cause a denial of service (NULL pointer dereference and directory-authority crash) via a misformatted relay descriptor that is mishandled during voting.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/16/2023
The vulnerability identified as CVE-2018-0490 represents a critical denial of service weakness within the Tor network's directory authority infrastructure. This flaw exists in Tor versions prior to 0.2.9.15, 0.3.1.x prior to 0.3.1.10, and 0.3.2.x prior to 0.3.2.10, affecting the core protocol-list subprotocol implementation that governs how directory authorities communicate and validate relay descriptors. The vulnerability specifically targets the voting mechanism within the directory authority system where malformed relay descriptors trigger unexpected behavior in the protocol handling code.
The technical exploitation of this vulnerability occurs through a carefully crafted misformatted relay descriptor that exploits a NULL pointer dereference condition during the voting process. When directory authorities attempt to process these malformed descriptors, the protocol-list subprotocol fails to properly validate input data, leading to a crash of the directory-authority service. This NULL pointer dereference represents a classic software flaw that falls under CWE-476, which specifically addresses null pointer dereference vulnerabilities. The crash occurs because the directory authority implementation does not adequately handle edge cases or malformed input during the relay descriptor validation and voting procedures.
The operational impact of this vulnerability extends beyond simple service disruption as it undermines the fundamental integrity of the Tor network's directory authority system. Directory authorities serve as critical components responsible for maintaining the network's consensus and relay information, and their compromise directly affects network stability and availability. When these authorities crash due to the NULL pointer dereference, they become unavailable to participate in the voting process, potentially leading to consensus failures and network fragmentation. This vulnerability aligns with ATT&CK technique T1499.004, which involves network disruption through denial of service attacks against critical infrastructure components.
The implications for Tor network security are significant as this vulnerability could be exploited by malicious actors to create sustained disruption of the directory authority system. Since directory authorities are essential for maintaining the network's distributed consensus mechanism, compromising them could lead to reduced network reliability and potentially enable more sophisticated attacks against the Tor infrastructure. The vulnerability demonstrates poor input validation practices within the Tor protocol implementation and highlights the importance of robust error handling in security-critical systems. Organizations and network operators should prioritize immediate patching of affected Tor versions to prevent exploitation and maintain the integrity of their Tor directory authority services. The fix implemented in subsequent versions addresses the NULL pointer dereference by introducing proper input validation and error handling mechanisms within the protocol-list subprotocol.