#VU45426 Resource management error in Tor - CVE-2011-0016


| Updated: 2020-08-11

Vulnerability identifier: #VU45426

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2011-0016

CWE-ID: CWE-399

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Tor
Client/Desktop applications / Web browsers

Vendor: tor.eff.org

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha does not properly manage key data in memory, which might allow local users to obtain sensitive information by leveraging the ability to read memory that was previously used by a different process.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Tor: 0.0.2 - 0.2.2.20

External links
https://archives.seul.org/or/announce/Jan-2011/msg00000.html
https://blog.torproject.org/blog/tor-02129-released-security-patches
https://secunia.com/advisories/42905
https://secunia.com/advisories/42907
https://www.debian.org/security/2011/dsa-2148
https://www.openwall.com/lists/oss-security/2011/01/18/7
https://www.securityfocus.com/bid/45832
https://www.securitytracker.com/id?1024980
https://www.vupen.com/english/advisories/2011/0131
https://www.vupen.com/english/advisories/2011/0132
https://gitweb.torproject.org/tor.git/blob/refs/heads/release-0.2.2:/ChangeLog
https://trac.torproject.org/projects/tor/ticket/2384
https://trac.torproject.org/projects/tor/ticket/2385

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Gentoo update for Tor
Multiple vulnerabilities in tor.eff Tor