2 zero-day vulnerabilities of TOR published. No patch available; 3 more reports to come

A new security risk has been detected. Security testing course experts have reported finding two vulnerabilities in the Tor browser and network. Dr. Neal Krawetz is in charge of finding two zero-day vulnerabilities in Tor Project, whose developers seem to have not addressed since they were notified.

Krawetz also mentions that it will reveal at least three other zero-day vulnerabilities in Tor, including a flaw that could reveal the actual IP address of the Tor servers. Despite recent statements from the researcher, no one from Tor Project has commented on it.

The security testing course expert, who operates multiple Tor nodes, mentions that the first could be exploited by companies and service providers could block users and prevent them from connecting using the anonymous network by simply scanning network connections, looking for a different packet signature, unique to Tor traffic. This package could be used as a method of blocking connections, which could be considered abusive behavior, especially in countries where the Internet faces severe government restrictions.

Just a few hours ago, Krawetz shared some details about the second vulnerability. As in the previous report, this failure would allow anonymous traffic to be detected and blocked, although using a different method, as this attack depends on the detection of indirect connections.

According to security testing course experts, these connections are made between Tor bridges, a special type of network entry point that can be used if Internet service providers block access to the anonymous network. A Tor bridge acts as a proxy and relays user connections to the Tor network itself.

“Connections to Tor bridges can be easily detected, using a technique similar to tracking specific TCP packets. This makes it possible to prevent any user from connecting to the Tor network, either directly or indirectly,” Krawetz added.

Regarding his motivations for publicly disclosing his finding, Krawetz mentions that Tor Project has not taken its security flaws seriously, referring to other incidents in which those responsible for this project have dismissed the security risks found, which remain active and could be exploited at any time.

For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.

Originally published at https://www.securitynewspaper.com on July 31, 2020.

Knowledge belongs to the world