A comprehensive code security audit focusing on several components of the Tor anonymity network discovered more than a dozen vulnerabilities, including an issue that has been classified as ‘high risk’.
The audit, conducted by non-profit cybersecurity consultancy Radically Open Security between April and August 2023, covered the Tor browser, exit relays, exposed services, infrastructure, and testing and profiling tools. The results of the assessment were made public this week.
The audit, a crystal box penetration test (where the tester has access to the source code), uncovered a total of 17 security issues.
A majority are medium- and low-risk flaws that can be exploited to launch DoS attacks, downgrade or bypass security, and gain access to information. Some issues are related to the use of outdated or unmaintained third-party components.
The most serious of the flaws is a cross-site request forgery (CSRF) bug affecting the Onion Bandwidth Scanner (Onbasca). This high-risk vulnerability can allow an unauthenticated attacker to inject bridges into the database.
Onbasca is a bandwidth scanner run by directory authorities, special relays that maintain a list of currently-running relays. Bandwidth scanners can help monitor performance, distribute the load across the Tor network, and detect attacks.
Bridges are unlisted relays that can be helpful to users under oppressive regimes as they are more difficult to block.
“Attackers can lure Directory Authorities victims to their site and perform a successful CSRF attack as soon as the victim’s browser runs in the same network as Onbasca. This is the case when the victim uses the Django web interface. As a result, pre-authenticated attackers can inject attacker-controlled IPs into the database,” Radically Open Security explained in its report.
It added, “When the bridgescan command is invoked, which runs regularly, the Onbasca application will connect to the attacker-controlled bridge. By doing this, attackers may be able to daemonize the hosted instance of Onbasca or carry out further attacks.”
The latest security audit comes after penetration testing firm Cure53 conducted a security assessment focusing on identifying vulnerabilities introduced by user interface changes and an audit related to censorship circumvention.