Security release: Arti 1.2.3. (Please upgrade.)

by nickm | May 15, 2024

We have released updates to Arti today, to resolve a pair of security issues related to circuit construction for onion services.

These vulnerabilities affect the crate tor-circmgr 0.18.0, released along with Arti version 1.2.2. They are fixed in tor-circmgr 0.18.1. (Fixes will also appear in Arti version 1.2.4, to be released on our regular schedule at the start of June.)

Who is affected

If you use arti to connect to onion services, or to run onion services, and you are using Arti 1.2.2 or tor-circmgr 0.18.0, you should upgrade.

(In Arti 1.2.1 and earlier, vanguards were still an experimental feature, or absent, so those versions are classified as "not affected", but downgrading to these versions will not improve your security.)

Upgrade instructions

If you installed Arti via cargo install, use this command to update:

cargo install --locked --features=full arti
# or whatever --features you used before

If you obtained Arti as source code from git, fetch the tag arti-v1.2.3 and rebuild, with cargo build --locked --release --features=full -p arti.

The issues

Both issues affect circuit construction when vanguards are enabled, and affect the length.

First, when building anonymizing circuits to or from an onion service with 'lite' vanguards (the default) enabled, the circuit manager code would build the circuits with one hop too few. This makes users of this code more vulnerable to some kinds of traffic analysis when they run or visit onion services. This bug is tracked as issue #1409, and as TROVE-2024-003. Its severity is "high".

Second, when 'full' vanguards are enabled, some circuits are supposed to be built with an extra hop to minimize the linkability of the guard nodes. In some circumstances, the circuit manager would build circuits with one hop too few, making it easier for an adversary to discover the L2 and L3 guards of the affected clients and services. This issue is tracked as issue #1400, and as TROVE-2024-004. Its severity is "medium".

Comments

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the moderators. Please do not comment as a way to receive support or to report bugs on a post unrelated to a release. If you are looking for support, please see our FAQ, user support forum or ways to get in touch with us.