rustsec-2024-0340
Vulnerability from osv_rustsec
Published
2024-05-15 12:00
Modified
2025-10-28 06:02
Summary
Tor path lengths too short when "full Vanguards" configured
Details

Description

When building anonymizing circuits to or from an onion service with full vanguards enabled, the circuit manager code would build the circuits with one hop too few.

Impact

This makes users of this code more vulnerable to some kinds of traffic analysis when they run or visit onion services.

Vulnerable configurations and use cases

Arti configured with "full vangaurds" is vulnerable.

Only users who make connections to Onion Services (Tor Hidden Services) are affected. Note, however, that when used as a browser proxy, malicious web pages can typically make such connections.

Mitigation

Preventing access to Tor Hidden Services will avoid the problem, with corresponding loss of functionality. This can be achieved in the Arti configuration file with:

[address_filter]
allow_onion_addrs = false

Changing the configuration (eg to turn off vanguards) reclassifies the behaviour as "as configured", but reduces security rather than improving it, so is not a mitigation.

Resolution

Rebuild arti (or other affected applications) with a fixed version of tor-circmgr: 0.18.1 or later.

The fixed tor-circmgr is on crates.io and available in the upstream git repository at signed tag arti-v1.2.3.

Note about older versions

Even though earlier versions are classified as "not affected", this is because in those versions the Vanguards feature is experimental, or absent. Downgrading worsens security, rather than improving it.

References

  • arti#1400: the ticket in the Arti bugtracker.
  • TROVE Tor Project vulnerability database.
  • arti#1409: the similar bug with the vanguards lite feature.
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [],
        "cvss": null,
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "tor-circmgr",
        "purl": "pkg:cargo/tor-circmgr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.18.0"
            },
            {
              "fixed": "0.18.1"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2024-35312",
    "CVE-2024-35313",
    "GHSA-9328-gcfq-p269",
    "GHSA-c96h-cxx6-rmg9",
    "TROVE-2024-004"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "## Description\n\nWhen building anonymizing circuits to or from an onion service with \nfull vanguards enabled, \nthe circuit manager code would build the circuits with one hop too few.\n\n## Impact\n\nThis makes users of this code more vulnerable to some kinds of traffic analysis\nwhen they run or visit onion services.\n\n## Vulnerable configurations and use cases\n\nArti configured with \"full vangaurds\" is vulnerable.\n\nOnly users who make connections to Onion Services\n(Tor Hidden Services) are affected.\nNote, however, that when used as a browser proxy,\nmalicious web pages can typically make such connections.\n\n## Mitigation\n\nPreventing access to Tor Hidden Services will avoid the problem,\nwith corresponding loss of functionality.\nThis can be achieved in the Arti configuration file with:\n\n```\n[address_filter]\nallow_onion_addrs = false\n```\n\nChanging the configuration (eg to turn off vanguards)\nreclassifies the behaviour as \"as configured\",\nbut reduces security rather than improving it,\nso is not a mitigation.\n\n## Resolution\n\nRebuild `arti` (or other affected applications)\nwith a fixed version of `tor-circmgr`:\n0.18.1 or later.\n\nThe fixed `tor-circmgr` is on crates.io and available in\n[the upstream git repository](https://gitlab.torproject.org/tpo/core/arti)\nat signed tag `arti-v1.2.3`.\n\n### Note about older versions\n\nEven though earlier versions are classified as \"not affected\",\nthis is because in those versions the Vanguards feature\nis experimental, or absent.\nDowngrading worsens security, rather than improving it.\n\n## References\n\n * [arti#1400](https://gitlab.torproject.org/tpo/core/arti/-/issues/1400):\n   the ticket in the Arti bugtracker.\n * [TROVE](https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE)\n   Tor Project vulnerability database.\n * [arti#1409](https://gitlab.torproject.org/tpo/core/arti/-/issues/1409):\n   the similar bug with the vanguards lite feature.",
  "id": "RUSTSEC-2024-0340",
  "modified": "2025-10-28T06:02:18Z",
  "published": "2024-05-15T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/tor-circmgr"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2024-0340.html"
    },
    {
      "type": "REPORT",
      "url": "https://gitlab.torproject.org/tpo/core/arti/-/issues/1409"
    }
  ],
  "related": [
    "TROVE-2024-003"
  ],
  "severity": [],
  "summary": "Tor path lengths too short when \"full Vanguards\" configured"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.