Vulnerabilities > CVE-2018-0490 - NULL Pointer Dereference vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
An issue was discovered in Tor before 0.2.9.15, 0.3.1.x before 0.3.1.10, and 0.3.2.x before 0.3.2.10. The directory-authority protocol-list subprotocol implementation allows remote attackers to cause a denial of service (NULL pointer dereference and directory-authority crash) via a misformatted relay descriptor that is mishandled during voting.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-223.NASL description This update for tor to version 0.3.2.10 fixes security issues and bugs. The following vulnerabilities were fixed : - CVE-2018-0490: remote crash vulnerability against directory authorities (boo#1083845, TROVE-2018-001) - CVE-2018-0491: remote relay crash (boo#1083846, TROVE-2018-002) This new upstream stable version also contains a new system for improved resistance to DoS attacks against relays and various other bug fixes. last seen 2020-06-05 modified 2018-03-07 plugin id 107179 published 2018-03-07 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107179 title openSUSE Security Update : tor (openSUSE-2018-223) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2018-223. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(107179); script_version("1.7"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2018-0490", "CVE-2018-0491"); script_name(english:"openSUSE Security Update : tor (openSUSE-2018-223)"); script_summary(english:"Check for the openSUSE-2018-223 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for tor to version 0.3.2.10 fixes security issues and bugs. The following vulnerabilities were fixed : - CVE-2018-0490: remote crash vulnerability against directory authorities (boo#1083845, TROVE-2018-001) - CVE-2018-0491: remote relay crash (boo#1083846, TROVE-2018-002) This new upstream stable version also contains a new system for improved resistance to DoS attacks against relays and various other bug fixes." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1083845" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1083846" ); script_set_attribute(attribute:"solution", value:"Update the affected tor packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tor"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tor-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tor-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/05"); script_set_attribute(attribute:"patch_publication_date", value:"2018/03/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/07"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.3", reference:"tor-0.3.2.10-15.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"tor-debuginfo-0.3.2.10-15.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"tor-debugsource-0.3.2.10-15.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tor / tor-debuginfo / tor-debugsource"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4183.NASL description It has been discovered that Tor, a connection-based low-latency anonymous communication system, contains a protocol-list handling bug that could be used to remotely crash directory authorities with a NULL pointer exception (TROVE-2018-001). last seen 2020-06-01 modified 2020-06-02 plugin id 109412 published 2018-04-30 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109412 title Debian DSA-4183-1 : tor - security update
References
- https://blog.torproject.org/new-stable-tor-releases-security-fixes-and-dos-prevention-03210-03110-02915
- https://blog.torproject.org/new-stable-tor-releases-security-fixes-and-dos-prevention-03210-03110-02915
- https://trac.torproject.org/projects/tor/ticket/25074
- https://trac.torproject.org/projects/tor/ticket/25074
- https://www.debian.org/security/2018/dsa-4183
- https://www.debian.org/security/2018/dsa-4183