VYPR
← All advisories
Unrated severityNVD Advisory· Published Aug 23, 2005· Updated Apr 16, 2026

CVE-2005-2643

CVE-2005-2643

Description

Tor 0.1.0.13 and earlier, and experimental versions 0.1.1.4-alpha and earlier, does not reject certain weak keys when using ephemeral Diffie-Hellman (DH) handshakes, which allows malicious Tor servers to obtain the keys that a client uses for other systems in the circuit.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

28
  • Tor/Tor28 versions
    cpe:2.3:a:tor:tor:0.0.9:*:*:*:*:*:*:*+ 27 more
    • cpe:2.3:a:tor:tor:0.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.0.9.1:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.0.9.2:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.0.9.3:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.0.9.4:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.0.9.5:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.0.9.6:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.0.9.7:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.0.9.8:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.0.9.9:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.1.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.1.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.1.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.1.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.1.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.1.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.1.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.1.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.1.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.1.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.1.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.1.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.1.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.1.1.1_alpha:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.1.1.2_alpha:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.1.1.3_alpha:*:*:*:*:*:*:*
    • cpe:2.3:a:tor:tor:0.1.1.4_alpha:*:*:*:*:*:*:*
    • (no CPE)range: <=0.1.0.13, <=0.1.1.4-alpha

Patches

Vulnerability mechanics

Root cause

"Missing validation of weak Diffie-Hellman public keys allows an attacker to force the shared secret to a known value."

Attack vector

A malicious Tor server acting as the first hop in a circuit can replace the client's encrypted DH value g^x with g^0 before forwarding it to the next server. The next server responds with g^y and H(1^y), which the attacker relays back to the client as g^0 and H(1^y). Both the client and the honest server compute the shared key K=1, allowing the attacker to learn all subsequent keys negotiated for the rest of the circuit and read or modify all traffic.

Affected code

Tor versions 0.1.0.13 and earlier (stable) and 0.1.1.4-alpha and earlier (experimental) fail to reject weak Diffie-Hellman keys during ephemeral handshakes. The flaw is in the DH handshake implementation where the client does not validate that the received public key is not a weak value such as 0, 1, or p-1.

What the fix does

The patch adds validation to reject DH public keys that are weak: values of 0, 1, p-1, keys less than 0 or greater than or equal to p, keys with fewer than 16 zero bits or 16 one bits, and keys less than 2^24 or greater than p - 2^24. This prevents an attacker from forcing the shared secret to a known value like 1, closing the man-in-the-middle attack.

Preconditions

  • configThe attacker must operate a malicious Tor server that the client selects as the first hop in a circuit.
  • networkThe attacker must be able to intercept and modify DH handshake messages between the client and subsequent servers in the circuit.

Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.