{"id":"RUSTSEC-2024-0340","summary":"Tor path lengths too short when \"full Vanguards\" configured","details":"## Description\n\nWhen building anonymizing circuits to or from an onion service with \nfull vanguards enabled, \nthe circuit manager code would build the circuits with one hop too few.\n\n## Impact\n\nThis makes users of this code more vulnerable to some kinds of traffic analysis\nwhen they run or visit onion services.\n\n## Vulnerable configurations and use cases\n\nArti configured with \"full vangaurds\" is vulnerable.\n\nOnly users who make connections to Onion Services\n(Tor Hidden Services) are affected.\nNote, however, that when used as a browser proxy,\nmalicious web pages can typically make such connections.\n\n## Mitigation\n\nPreventing access to Tor Hidden Services will avoid the problem,\nwith corresponding loss of functionality.\nThis can be achieved in the Arti configuration file with:\n\n```\n[address_filter]\nallow_onion_addrs = false\n```\n\nChanging the configuration (eg to turn off vanguards)\nreclassifies the behaviour as \"as configured\",\nbut reduces security rather than improving it,\nso is not a mitigation.\n\n## Resolution\n\nRebuild `arti` (or other affected applications)\nwith a fixed version of `tor-circmgr`:\n0.18.1 or later.\n\nThe fixed `tor-circmgr` is on crates.io and available in\n[the upstream git repository](https://gitlab.torproject.org/tpo/core/arti)\nat signed tag `arti-v1.2.3`.\n\n### Note about older versions\n\nEven though earlier versions are classified as \"not affected\",\nthis is because in those versions the Vanguards feature\nis experimental, or absent.\nDowngrading worsens security, rather than improving it.\n\n## References\n\n * [arti#1400](https://gitlab.torproject.org/tpo/core/arti/-/issues/1400):\n   the ticket in the Arti bugtracker.\n * [TROVE](https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE)\n   Tor Project vulnerability database.\n * [arti#1409](https://gitlab.torproject.org/tpo/core/arti/-/issues/1409):\n   the similar bug with the vanguards lite feature.","aliases":["CVE-2024-35312","CVE-2024-35313","GHSA-9328-gcfq-p269","GHSA-c96h-cxx6-rmg9","RUSTSEC-2024-0339","TROVE-2024-003","TROVE-2024-004"],"modified":"2026-02-04T02:29:53.583773Z","published":"2024-05-15T12:00:00Z","related":["TROVE-2024-003"],"database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/tor-circmgr"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2024-0340.html"},{"type":"REPORT","url":"https://gitlab.torproject.org/tpo/core/arti/-/issues/1409"}],"affected":[{"package":{"name":"tor-circmgr","ecosystem":"crates.io","purl":"pkg:cargo/tor-circmgr"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.18.0"},{"fixed":"0.18.1"}]}],"ecosystem_specific":{"affects":{"functions":[],"os":[],"arch":[]},"affected_functions":null},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2024-0340.json","informational":null,"cvss":null,"categories":[]}}],"schema_version":"1.7.3"}