CVE-2017-8821 - OpenCVE

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, an attacker can cause a denial of service (application hang) via crafted PEM input that signifies a public key requiring a password, which triggers an attempt by the OpenSSL library to ask the user for the password, aka TROVE-2017-011.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Tor Project	Tor

Configuration 1 [-]

OR	cpe:2.3:a:tor_project:tor::::::::
	cpe:2.3:a:tor_project:tor::::::::
	cpe:2.3:a:tor_project:tor::::::::
	cpe:2.3:a:tor_project:tor::::::::
	cpe:2.3:a:tor_project:tor::::::::

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

No data.

References

Link	Providers
https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516
https://bugs.torproject.org/24246
https://www.debian.org/security/2017/dsa-4054

History

No history.

MITRE

Status: PUBLISHED

Assigner: debian

Published: 2017-12-03T07:00:00

Updated: 2024-08-05T16:48:22.407Z

Reserved: 2017-05-07T00:00:00

Link: CVE-2017-8821

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-12-03T07:29:00.380

Modified: 2017-12-21T18:06:43.350

Link: CVE-2017-8821

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9", "vendor": "n/a", "versions": [{"status": "affected", "version": "Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9"}]}], "datePublic": "2017-12-03T00:00:00", "descriptions": [{"lang": "en", "value": "In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, an attacker can cause a denial of service (application hang) via crafted PEM input that signifies a public key requiring a password, which triggers an attempt by the OpenSSL library to ask the user for the password, aka TROVE-2017-011."}], "problemTypes": [{"descriptions": [{"description": "application hang", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-12-04T10:57:01", "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "shortName": "debian"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516"}, {"name": "DSA-4054", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2017/dsa-4054"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugs.torproject.org/24246"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@debian.org", "ID": "CVE-2017-8821", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9", "version": {"version_data": [{"version_value": "Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, an attacker can cause a denial of service (application hang) via crafted PEM input that signifies a public key requiring a password, which triggers an attempt by the OpenSSL library to ask the user for the password, aka TROVE-2017-011."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "application hang"}]}]}, "references": {"reference_data": [{"name": "https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516", "refsource": "CONFIRM", "url": "https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516"}, {"name": "DSA-4054", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2017/dsa-4054"}, {"name": "https://bugs.torproject.org/24246", "refsource": "CONFIRM", "url": "https://bugs.torproject.org/24246"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T16:48:22.407Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516"}, {"name": "DSA-4054", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2017/dsa-4054"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugs.torproject.org/24246"}]}]}, "cveMetadata": {"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "assignerShortName": "debian", "cveId": "CVE-2017-8821", "datePublished": "2017-12-03T07:00:00", "dateReserved": "2017-05-07T00:00:00", "dateUpdated": "2024-08-05T16:48:22.407Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tor_project:tor:*:*:*:*:*:*:*:*", "matchCriteriaId": "067DE048-F786-4E63-98E6-6FD6415DD3A5", "versionEndExcluding": "0.2.5.16", "vulnerable": true}, {"criteria": "cpe:2.3:a:tor_project:tor:*:*:*:*:*:*:*:*", "matchCriteriaId": "5372249B-59F8-4866-B4D3-F52980FCC269", "versionEndExcluding": "0.2.8.17", "versionStartIncluding": "0.2.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:tor_project:tor:*:*:*:*:*:*:*:*", "matchCriteriaId": "E0739CCD-DE8F-4A44-91CD-986C4644045F", "versionEndExcluding": "0.2.9.14", "versionStartIncluding": "0.2.9", "vulnerable": true}, {"criteria": "cpe:2.3:a:tor_project:tor:*:*:*:*:*:*:*:*", "matchCriteriaId": "E623D0FC-453C-4D7A-8328-C4C252EEC976", "versionEndExcluding": "0.3.0.13", "versionStartIncluding": "0.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:tor_project:tor:*:*:*:*:*:*:*:*", "matchCriteriaId": "249879F0-6A12-41C2-9559-020021080696", "versionEndExcluding": "0.3.1.9", "versionStartIncluding": "0.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, an attacker can cause a denial of service (application hang) via crafted PEM input that signifies a public key requiring a password, which triggers an attempt by the OpenSSL library to ask the user for the password, aka TROVE-2017-011."}, {"lang": "es", "value": "En Tor, en versiones anteriores a la 0.2.5.16; de la versi\u00f3n 0.2.6 hasta la 0.2.8 anterior a la 0.2.8.17; versiones 0.2.9 anteriores a la 0.2.9.14; versiones 0.3.0 anteriores a la 0.3.0.13 y versiones 0.3.1 anteriores a la 0.3.1.9, un atacante puede provocar una denegaci\u00f3n de servicio (bloqueo de la aplicaci\u00f3n) mediante una entrada PEM manipulada que represente una clave p\u00fablica que requiera una contrase\u00f1a. Esto da lugar a que la biblioteca Open SSLE intente preguntar la contrase\u00f1a al usuario. Esto tambi\u00e9n se conoce como TROVE-2017-011."}], "id": "CVE-2017-8821", "lastModified": "2017-12-21T18:06:43.350", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-12-03T07:29:00.380", "references": [{"source": "security@debian.org", "tags": ["Vendor Advisory"], "url": "https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516"}, {"source": "security@debian.org", "tags": ["Vendor Advisory"], "url": "https://bugs.torproject.org/24246"}, {"source": "security@debian.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2017/dsa-4054"}], "sourceIdentifier": "security@debian.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}