Main Vulnerability Database Vulnerabilities #VU44434

#VU44434 Permissions, Privileges, and Access Controls in Tor - CVE-2011-2768

Published: December 23, 2011 / Updated: August 11, 2020

Vulnerability identifier: #VU44434

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2011-2768

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Tor

Software vendor:
tor.eff.org

Description

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

Tor before 0.2.2.34, when configured as a client or bridge, sends a TLS certificate chain as part of an outgoing OR connection, which allows remote relays to bypass intended anonymity properties by reading this chain and then determining the set of entry guards that the client or bridge had selected.

Remediation

Install update from vendor's website.

External links

http://www.debian.org/security/2011/dsa-2331
https://blog.torproject.org/blog/tor-02234-released-security-patches