Debian Local Security Checks : Debian: Security Advisory (DSA-2993-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.702993

Category: Debian Local Security Checks

Title: Debian: Security Advisory (DSA-2993-1)

Summary: The remote host is missing an update for the Debian 'tor' package(s) announced via the DSA-2993-1 advisory.

Description: Summary:
The remote host is missing an update for the Debian 'tor' package(s) announced via the DSA-2993-1 advisory.

Vulnerability Insight:
Several issues have been discovered in Tor, a connection-based low-latency anonymous communication system, resulting in information leaks.

Relay-early cells could be used by colluding relays on the network to tag user circuits and so deploy traffic confirmation attacks [CVE-2014-5117]. The updated version emits a warning and drops the circuit upon receiving inbound relay-early cells, preventing this specific kind of attack. Please consult the following advisory for more details about this issue:

[link moved to references]

A bug in the bounds-checking in the 32-bit curve25519-donna implementation could cause incorrect results on 32-bit implementations when certain malformed inputs were used along with a small class of private ntor keys. This flaw does not currently appear to allow an attacker to learn private keys or impersonate a Tor server, but it could provide a means to distinguish 32-bit Tor implementations from 64-bit Tor implementations.

The following additional security-related improvements have been implemented:

As a client, the new version will effectively stop using CREATE_FAST cells. While this adds computational load on the network, this approach can improve security on connections where Tor's circuit handshake is stronger than the available TLS connection security levels.

Prepare clients to use fewer entry guards by honoring the consensus parameters. The following article provides some background:

[link moved to references]

For the stable distribution (wheezy), these problems have been fixed in version 0.2.4.23-1~
deb7u1.

For the testing distribution (jessie) and the unstable distribution (sid), these problems have been fixed in version 0.2.4.23-1.

For the experimental distribution, these problems have been fixed in version 0.2.5.6-alpha-1.

We recommend that you upgrade your tor packages.

Affected Software/OS:
'tor' package(s) on Debian 7.

Solution:
Please install the updated package(s).

CVSS Score:
5.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2014-5117
https://lists.torproject.org/pipermail/tor-announce/2014-July/000093.html
https://lists.torproject.org/pipermail/tor-announce/2014-July/000094.html
https://lists.torproject.org/pipermail/tor-talk/2014-July/034180.html
http://secunia.com/advisories/60084
http://secunia.com/advisories/60647

Copyright Copyright (C) 2014 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.0.702993
Category:	Debian Local Security Checks
Title:	Debian: Security Advisory (DSA-2993-1)
Summary:	The remote host is missing an update for the Debian 'tor' package(s) announced via the DSA-2993-1 advisory.
Description:	Summary: The remote host is missing an update for the Debian 'tor' package(s) announced via the DSA-2993-1 advisory. Vulnerability Insight: Several issues have been discovered in Tor, a connection-based low-latency anonymous communication system, resulting in information leaks. Relay-early cells could be used by colluding relays on the network to tag user circuits and so deploy traffic confirmation attacks [CVE-2014-5117]. The updated version emits a warning and drops the circuit upon receiving inbound relay-early cells, preventing this specific kind of attack. Please consult the following advisory for more details about this issue: [link moved to references] A bug in the bounds-checking in the 32-bit curve25519-donna implementation could cause incorrect results on 32-bit implementations when certain malformed inputs were used along with a small class of private ntor keys. This flaw does not currently appear to allow an attacker to learn private keys or impersonate a Tor server, but it could provide a means to distinguish 32-bit Tor implementations from 64-bit Tor implementations. The following additional security-related improvements have been implemented: As a client, the new version will effectively stop using CREATE_FAST cells. While this adds computational load on the network, this approach can improve security on connections where Tor's circuit handshake is stronger than the available TLS connection security levels. Prepare clients to use fewer entry guards by honoring the consensus parameters. The following article provides some background: [link moved to references] For the stable distribution (wheezy), these problems have been fixed in version 0.2.4.23-1~ deb7u1. For the testing distribution (jessie) and the unstable distribution (sid), these problems have been fixed in version 0.2.4.23-1. For the experimental distribution, these problems have been fixed in version 0.2.5.6-alpha-1. We recommend that you upgrade your tor packages. Affected Software/OS: 'tor' package(s) on Debian 7. Solution: Please install the updated package(s). CVSS Score: 5.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2014-5117 https://lists.torproject.org/pipermail/tor-announce/2014-July/000093.html https://lists.torproject.org/pipermail/tor-announce/2014-July/000094.html https://lists.torproject.org/pipermail/tor-talk/2014-July/034180.html http://secunia.com/advisories/60084 http://secunia.com/advisories/60647
Copyright	Copyright (C) 2014 Greenbone AG