Vulnerability CVE-2012-4419 - CERT Civis.Net

Vulnerability Name:

CVE-2012-4419 (CCN-78604)

Assigned:

2012-09-11

Published:

2012-09-11

Updated:

2013-08-22

Summary:

The compare_tor_addr_to_addr_policy function in or/policies.c in Tor before 0.2.2.39, and 0.2.3.x before 0.2.3.21-rc, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a zero-valued port field that is not properly handled during policy comparison.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2012-4419

Source: FEDORA
Type: UNKNOWN
FEDORA-2012-14638

Source: SUSE
Type: UNKNOWN
openSUSE-SU-2012:1278

Source: MLIST
Type: UNKNOWN
[oss-security] 20120912 Re: CVE id request: tor

Source: CCN
Type: SA50578
Tor Two Assertion Failure Denial of Service Vulnerabilities

Source: SECUNIA
Type: UNKNOWN
50583

Source: GENTOO
Type: UNKNOWN
GLSA-201301-03

Source: DEBIAN
Type: DSA-2548
tor -- several vulnerabilities

Source: CCN
Type: BID-55519
Tor Multiple Denial of Service Vulnerabilities

Source: XF
Type: UNKNOWN
tor-multiple-dos(78604)

Source: CCN
Type: torproject Web Site
bump to 0.2.2.39

Source: CONFIRM
Type: UNKNOWN
https://gitweb.torproject.org/tor.git/blob/release-0.2.2:/ReleaseNotes

Source: CONFIRM
Type: UNKNOWN
https://gitweb.torproject.org/tor.git/commit/62d96284f7e0f81c40d5df7e53dd7b4dfe7e56a5

Source: MLIST
Type: UNKNOWN
[tor-talk] 20120905 Tor 0.2.3.21-rc is out

Source: CONFIRM
Type: UNKNOWN
https://trac.torproject.org/projects/tor/ticket/6690

Vulnerable Configuration:

Configuration 1:

cpe:/a:torproject:tor:0.0.2:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.2:pre13:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.2:pre14:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.2:pre15:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.2:pre16:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.2:pre17:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.2:pre18:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.2:pre19:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.2:pre20:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.2:pre21:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.2:pre22:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.2:pre23:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.2:pre24:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.2:pre25:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.2:pre26:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.2:pre27:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.3:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.4:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.5:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.6:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.6.1:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.6.2:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.7:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.7.1:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.7.2:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.7.3:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.8.1:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.9.1:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.9.2:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.9.3:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.9.4:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.9.5:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.9.6:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.9.7:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.9.8:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.9.9:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.0.9.10:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.1.0.10:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.1.0.11:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.1.0.12:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.1.0.13:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.1.0.14:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.1.0.15:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.1.0.16:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.1.0.17:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.1.1.20:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.1.1.21:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.1.1.22:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.1.1.23:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.1.1.24:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.1.1.25:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.1.1.26:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.1.2.13:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.1.2.14:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.1.2.15:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.1.2.16:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.1.2.17:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.1.2.18:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.1.2.19:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.0.30:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.0.31:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.0.32:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.0.33:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.0.34:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.0.35:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.2.18:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.2.19:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.2.20:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.2.21:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.2.22:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.2.23:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.2.24:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.2.25:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.2.26:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.2.27:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.2.28:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.2.29:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.2.30:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.2.31:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.2.32:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.2.33:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.2.34:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.2.35:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.2.36:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.2.37:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:*:*:*:*:*:*:*:* (Version <= 0.2.2.38)

OR cpe:/a:torproject:tor:0.2.3:*:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.3.13:alpha:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.3.14:alpha:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.3.15:alpha:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.3.16:alpha:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.3.17:beta:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.3.18:rc:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.3.19:rc:*:*:*:*:*:*

OR cpe:/a:torproject:tor:0.2.3.20:rc:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20124419	V	CVE-2012-4419	2022-06-30
oval:org.opensuse.security:def:113538	P	tor-0.2.8.11-1.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106933	P	tor-0.2.8.11-1.1 on GA media (Moderate)	2021-10-01
oval:org.mitre.oval:def:17634	P	DSA-2548-1 tor - several	2014-06-23
oval:com.ubuntu.precise:def:20124419000	V	CVE-2012-4419 on Ubuntu 12.04 LTS (precise) - low.	2012-09-14
oval:com.ubuntu.trusty:def:20124419000	V	CVE-2012-4419 on Ubuntu 14.04 LTS (trusty) - low.	2012-09-14
oval:com.ubuntu.xenial:def:201244190000000	V	CVE-2012-4419 on Ubuntu 16.04 LTS (xenial) - low.	2012-09-14
oval:com.ubuntu.xenial:def:20124419000	V	CVE-2012-4419 on Ubuntu 16.04 LTS (xenial) - low.	2012-09-14