Tor Memory Fragmentation Vulnerability in Onion Service Descriptor Handling

A resource consumption vulnerability has been identified in Tor versions through 0.4.7.16 and 0.4.8.17. This issue arises in the Onion Service Descriptor Handler component, where manipulation of descriptors can lead to excessive resource use. The vulnerability allows attackers to remotely disrupt Tor nodes by causing memory fragmentation, which can crash the node or force it to shut down. This issue is particularly damaging to nodes with less than 8GB of RAM, but can also affect larger nodes under certain conditions.

Impact

Exploitation of this vulnerability leads to memory exhaustion, causing affected Tor nodes to crash or shut down. This disruption can be used to launch denial-of-service attacks against onion services, interrupting availability for service operators. Additionally, disabling Tor nodes can aid in de-anonymization attacks, undermining Tor's anonymity protections.

Reproduction

The vulnerability can be reproduced by uploading a series of crafted onion service descriptors to a Tor node. Once the cache threshold is reached, the node's memory capacity can be inferred by observing cache flush events. After establishing the node's memory size, the descriptor update mechanism can be exploited by flooding the node with small descriptors and then replacing them with larger ones. This process induces fragmentation in the node's memory allocation, leading to an Out-Of-Memory condition that causes the Tor node to crash or shut down.

Remediation

Users are advised to upgrade to Tor versions 0.4.8.18 or 0.4.9.3-alpha.