Zero day vulnerability in TAILS 1.1

A recent tweet from Exodus Intel (a company based in Austin, Texas) generated quite some noise on the Internet: “We’re happy to see that TAILS 1.1 is being released tomorrow. Our multiple RCE/de-anonymization zero-days are still effective. #tails #tor”

We were not contacted by Exodus Intel prior to their tweet. In fact, a more irritated version of this text was ready when we finally received an email from them. They informed us that they would provide us with a report within a week. We’re told they won’t disclose these vulnerabilities publicly before we have corrected it, and Tails users have had a chance to upgrade. We think that this is the right process to responsibly disclose vulnerabilities, and we’re really looking forward to read this report.

The TAILS Project: https://tails.boum.org/news/On_0days_exploits_and_disclosure/

The vulnerability we will be disclosing is specific to I2P. I2P currently boasts about 30,000 active peers. Since I2P has been bundled with Tails since version 0.7, Tails is by far the most widely adopted I2P usage. The I2P vulnerability works on default, fully patched installation of Tails. No settings or configurations need to be changed for the exploit to work.

Part two of this blog post will present a technical discussion of the vulnerability. This will be posted once we have confirmed the vulnerabilities in I2P are patched and have been incorporated into Tails.

Exodus Intelligence: http://blog.exodusintel.com/2014/07/23/silverbullets_and_fairytails/

A security hole affects I2P 0.9.13, that is part of Tails 1.1 and earlier. If you are using I2P in Tails 1.1 and earlier, an attacker can de-anonymize you: they can learn the IP address that identifies you on the Internet.

To be able to conduct this attack:

  • the attacker must be able to affect the content of a website that you are visiting using the Tor Browser in Tails — many people are able to do so;

  • and, the attacker must find out how to exploit this security hole; this information has not been published yet, but they may somehow already have discovered it, or been made aware of it.

Tails does not start I2P by default. This design decision was made precisely in order to protect the Tails users who do not use I2P from security holes in this piece of software. Still, an attacker who would also be able to start I2P on your Tails, either by exploiting another undisclosed security hole, or by tricking you into starting it yourself, could then use this I2P security hole to de-anonymize you.

The TAILS Project: https://tails.boum.org/security/Security_hole_in_I2P_0.9.13/index.de.html