Vulnerabilities > CVE-2017-11565 - Unspecified vulnerability in Debian TOR 0.2.9.111

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

debian

NVD

Published: 2017-07-23

Updated: 2019-10-03

Summary

debian/tor.init in the Debian tor_0.2.9.11-1~deb9u1 package for Tor was designed to execute aa-exec from the standard system pathname if the apparmor package is installed, but implements this incorrectly (with a wrong assumption that the specific pathname would remain the same forever), which allows attackers to bypass intended AppArmor restrictions by leveraging the silent loss of this protection mechanism. NOTE: this does not affect systems, such as default Debian stretch installations, on which Tor startup relies on a systemd unit file (instead of this tor.init script).

Vulnerable Configurations

Part	Description	Count
Application	Debian Debian TOR 0.2.9.11-1	1

References

https://bugs.debian.org/869153
http://www.securityfocus.com/bid/99933