The third and final issue, rated medium, was a privilege escalation from nobody to rdsys in deploy script. It could allow attackers to potentially eavesdrop on the connection or "with access to the server providing the bridge list". The second major issue that the researchers discovered was found in the returned bridge list, as it was not cryptographically signed. It lacked resource registration endpoint registration, which could have allowed attackers to "register arbitrary malicious resources for distribution to users". The Resource Distribution System is used to provide censored users with resource access. One of the issues was found in the rdsys source code. The two security issues rated high and the one security issue rated medium have been addressed by the Tor Project shortly after the review period ended. The team found a total of nineteeen issues, of which three were deemed security vulnerabilities and the remaining sixteen miscellaneous, as they "incur little exploitation potential". Eight skill matched senior testers went to work in the given time period. The analysis divided the components into six distinct work packages. Cure53 analyzed the six main components over the course of 72 days starting in February 2023. Out of scope of the analysis was a general analysis of the codebase of the Firefox web browser. Tor Browser is a Firefox-based web browser that is designed specifically for the purpose of keeping its users anonymous and allowing censored users to access blocked resources. Among the components were the BridgeDB software, building infrastructure, specific Tor Browser alterations and rdsys software. The Tor Browser project asked the penetration testers at Cure53 to audit core components of the project.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |