Vulnerabilities > CVE-2020-10593 - Memory Leak vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.4.2.7 allows remote attackers to cause a Denial of Service (memory leak), aka TROVE-2020-004. This occurs in circpad_setup_machine_on_circ because a circuit-padding machine can be negotiated twice on the same circuit.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | Torproject
| 15 |
Application | 1 | |
OS | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-202003-50.NASL description The remote host is affected by the vulnerability described in GLSA-202003-50 (Tor: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Tor, and tor. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-03-31 modified 2020-03-26 plugin id 134925 published 2020-03-26 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134925 title GLSA-202003-50 : Tor: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 202003-50. # # The advisory text is Copyright (C) 2001-2020 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(134925); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/30"); script_cve_id("CVE-2020-10592", "CVE-2020-10593"); script_xref(name:"GLSA", value:"202003-50"); script_name(english:"GLSA-202003-50 : Tor: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-202003-50 (Tor: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Tor, and tor. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly cause a Denial of Service condition. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/202003-50" ); script_set_attribute( attribute:"solution", value: "All Tor 0.4.1.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-vpn/tor-0.4.1.9' All Tor 0.4.2.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=net-vpn/tor-0.4.2.7'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:tor"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/23"); script_set_attribute(attribute:"patch_publication_date", value:"2020/03/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/26"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"net-vpn/tor", unaffected:make_list("rge 0.4.1.9", "rge 0.4.2.7"), vulnerable:make_list("lt 0.4.2.7"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Tor"); }
NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-406.NASL description This update for tor to version 0.3.5.10 fixes the following issues : - tor was updated to version 0.3.5.10 : - CVE-2020-10592: Fixed a CPU consumption denial of service and timing patterns (boo#1167013) - CVE-2020-10593: Fixed a circuit padding memory leak (boo#1167014) last seen 2020-04-04 modified 2020-03-30 plugin id 135009 published 2020-03-30 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135009 title openSUSE Security Update : tor (openSUSE-2020-406) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2020-406. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(135009); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/02"); script_cve_id("CVE-2020-10592", "CVE-2020-10593"); script_name(english:"openSUSE Security Update : tor (openSUSE-2020-406)"); script_summary(english:"Check for the openSUSE-2020-406 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for tor to version 0.3.5.10 fixes the following issues : - tor was updated to version 0.3.5.10 : - CVE-2020-10592: Fixed a CPU consumption denial of service and timing patterns (boo#1167013) - CVE-2020-10593: Fixed a circuit padding memory leak (boo#1167014)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1167013" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1167014" ); script_set_attribute(attribute:"solution", value:"Update the affected tor packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tor"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tor-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:tor-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/23"); script_set_attribute(attribute:"patch_publication_date", value:"2020/03/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/30"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE15\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.1", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE15.1", reference:"tor-0.3.5.10-lp151.2.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"tor-debuginfo-0.3.5.10-lp151.2.3.1") ) flag++; if ( rpm_check(release:"SUSE15.1", reference:"tor-debugsource-0.3.5.10-lp151.2.3.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tor / tor-debuginfo / tor-debugsource"); }
References
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00045.html
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00052.html
- https://security.gentoo.org/glsa/202003-50
- https://trac.torproject.org/projects/tor/ticket/33619
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00045.html
- https://trac.torproject.org/projects/tor/ticket/33619
- https://security.gentoo.org/glsa/202003-50
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00052.html