CVE-2023-23589: 
NixOS vulnerability analysis and mitigation

The SafeSocks option in Tor before 0.4.7.13 contains a logic error (CVE-2023-23589, also known as TROVE-2022-002) discovered in January 2023. This vulnerability affects the SOCKS protocol implementation where the unsafe SOCKS4 protocol can be used but not the safe SOCKS4a protocol (Tor Commit, NVD).

The vulnerability stems from an inverted logic in the SOCKS protocol implementation. The issue was introduced in commit 9155e084, where the code incorrectly processes SOCKS4 and SOCKS4a requests. When SafeSocks is set to 1, the system does the opposite of what it should, ensuring users make only unsafe requests instead of safe ones. The vulnerability has a CVSS v3.1 base score of 6.5 (MEDIUM) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (NVD).

The vulnerability leads to DNS leaks that occur under a configuration intended to guard against such possibilities. Users configuring SOCKS4 applications that don't support SOCKS4a would be led to believe their traffic is fully secured, when DNS requests are actually being leaked. Additionally, users configuring applications that support SOCKS4a could be misled into selecting SOCKS4 instead, as Tor will error out if they try to use the safe configuration (Tor Issue).

The vulnerability was fixed in Tor version 0.4.7.13. Users are strongly recommended to upgrade to this version or later. Various distributions have released security updates including Debian (version 0.4.5.16-1 for bullseye), Fedora (version 0.4.7.13-1), and Gentoo (version >= 0.4.7.13) (Debian Advisory, Fedora Update, Gentoo Advisory).