TAILS Team Recommends Workarounds for Flaw in I2P

Type threatpost
Reporter Dennis Fisher
Modified 2014-07-25T18:58:24


The developers of the TAILS operating system say that users can mitigate the severity of the critical vulnerability researchers discovered in the I2P software that’s bundled with TAILS with a couple of workarounds, but there is no patch for the bug yet.

The vulnerability that affects TAILS is in the I2P anonymity network software that comes with the operating system. The exact details of the flaw haven’t been made public, but researchers at Exodus Intelligence, who discovered the vulnerability, have shared them with the TAILS team. The developers say that the problem affects versions 1.1 and earlier, which is all of the current versions of the software.

The good news is that users have to start I2P manually, so it’s not part of the default attack surface. I2P is an anonymous network without any central infrastructure that encrypts all of users’ communications. The software is bundled with the TAILS operating system, and the researchers at Exodus discovered a vulnerability in the I2P platform that enables a remote attacker to gain remote code execution or strip away a targeted user’s anonymity.

The TAILS developers warned users that, despite the safeguards built into the software, there are ways that attackers can exploit the vulnerability.

“Tails does not start I2P by default. This design decision was made precisely in order to protect the Tails users who do not use I2P from security holes in this piece of software,” the developers said in an advisory.

“Still, an attacker who would also be able to start I2P on your Tails, either by exploiting another undisclosed security hole, or by tricking you into starting it yourself, could then use this I2P security hole to de-anonymize you.”

The developers recommend that users not start I2P when they launch TAILS, or remove the I2P package altogether every time they start TAILS. Any users who still need I2P can protect themselves by enabling the NoScript plugin in the Tor browser, which will disable JavaScript.