The developers of the anonymous Tor network have published the results of an audit of the Tor Browser and the OONI Probe, rdsys, BridgeDB and Conjure tools developed by the project, used to bypass censorship. The audit was conducted by Cure53 from November 2022 to April 2023.
During the audit, 9 vulnerabilities were identified, two of which were classified as dangerous, one was assigned a medium level of danger, and 6 were classified as problems with a minor level of danger. Also in the code base, 10 problems were found that were classified as non-security related flaws. In general, the Tor Project's code is noted to comply with secure programming practices.
The first dangerous vulnerability was present in the backend of the rdsys distributed system, which ensures the delivery of resources such as proxy lists and download links to censored users. The vulnerability is caused by a lack of authentication when accessing the resource registration handler and allowed an attacker to register their own malicious resource for delivery to users. Operation boils down to sending an HTTP request to the rdsys handler.
The second dangerous vulnerability was found in Tor Browser and was caused by a lack of digital signature verification when retrieving a list of bridge nodes via rdsys and BridgeDB. Since the list is loaded into the browser at the stage before connecting to the anonymous Tor network, the lack of verification of the cryptographic digital signature allowed an attacker to replace the contents of the list, for example, by intercepting the connection or hacking the server through which the list is distributed. In the event of a successful attack, the attacker could arrange for users to connect through their own compromised bridge node.
A medium-severity vulnerability was present in the rdsys subsystem in the assembly deployment script and allowed an attacker to elevate his privileges from the nobody user to the rdsys user, if he had access to the server and the ability to write to the directory with temporary files. Exploiting the vulnerability involves replacing the executable file located in the /tmp directory. Gaining rdsys user rights allows an attacker to make changes to executable files launched through rdsys.
Low-severity vulnerabilities were primarily due to the use of outdated dependencies that contained known vulnerabilities or the potential for denial of service. Minor vulnerabilities in Tor Browser include the ability to bypass JavaScript when the security level is set to the highest level, the lack of restrictions on file downloads, and the potential leak of information through the user's home page, allowing users to be tracked between restarts.
Currently, all vulnerabilities have been fixed; among other things, authentication has been implemented for all rdsys handlers and checking of lists loaded into the Tor Browser by digital signature has been added.
Additionally, we can note the release of the Tor Browser 13.0.1. The release is synchronized with the Firefox 115.4.0 ESR codebase, which fixes 19 vulnerabilities (13 are considered dangerous). Vulnerability fixes from Firefox branch 13.0.1 have been transferred to Tor Browser 119 for Android.
Source: opennet.ru