#VU31346 Use-after-free in Tor - CVE-2018-0491

Cybersecurity Help s.r.o.

Published: 2018-03-05 | Updated: 2021-06-17

Vulnerability identifier: #VU31346

Vulnerability risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2018-0491

CWE-ID: CWE-416

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Tor
Client/Desktop applications / Web browsers

Vendor: tor.eff.org

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

A use-after-free issue was discovered in Tor 0.3.2.x before 0.3.2.10. It allows remote attackers to cause a denial of service (relay crash) because the KIST implementation allows a channel to be added more than once in the pending list.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Tor: 0.3.2.1 - 0.3.2.9

External links
https://blog.torproject.org/new-stable-tor-releases-security-fixes-and-dos-prevention-03210-03110-02915
https://trac.torproject.org/projects/tor/ticket/24700
https://trac.torproject.org/projects/tor/ticket/25117
https://www.exploit-db.com/exploits/44994/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Fedora EPEL 6 update for tor

Use-after-free in tor.eff Tor

Use-after-free in tor (Alpine package)