Tails live OS affected by critical zero-day vulnerabilities

A researchers at the Exodus Intelligence firm has discovered a series of zero day vulnerabilities in the popular Tails Linux-based distribution.

A researcher at Exodus Intelligence has discovered critical zero-day vulnerabilities in the popular Tails live operating system. Tails is considered by security experts an indispensable tool to preserve the privacy and security of users that intend to avoid surveillance and censorship.

The flaws in the Linux-based operating system Tails could be used by an attacker to reveal users’ identity according to the expert. Tails includes a suite of privacy applications and is designed to ensure users’ privacy while surfing through Tor network.

According to the researcher, the presence of critical flaws in Tails could be exploited by bad actors and law enforcements to de-anonymize Tor users and execute code remotely.

The researcher initially hasn’t provided the details about the vulnerabilities, the company just informed its followers through Twitter of the disconcerting discovery.

The firm didn’t plan to release the details of the exploit until the Tails development team will not fix them, but anyway, it said it would release details about the zero-day flaws in a series of blog posts next week.

But while I’m writing Exodus Intelligence revealed that the flaw lies in the I2P software that is included in the Tails distro and the company has released some details and a video demonstrating the exploitation of the vulnerability.

““The vulnerability we will be disclosing is specific to I2P. I2P currently boasts about 30,000 active peers. Since I2P has been bundled with Tails since version 0.7, Tails is by far the most widely adopted I2P usage. The I2P vulnerability works on default, fully patched installation of Tails. No settings or configurations need to be changed for the exploit to work,” the Exodus team wrote in a post explaining a bit about the flaw.”

Exodus Intelligence is a firm specialized in the identification of zero-day vulnerabilities, defensive guidance and vulnerability research trends. It sells its products to private clients and government entities, including the DARPA, imagine the availability of a Tails zero-day exploit in the hand of Intelligence.

“Our main goalwas to bring attention to the fact that no software is infallible and those seeking anonymity should not blindly trust a software recommendation (even if it is from Snowden),” said Aaron Portnoy, co-founder and vice president of Exodus.

Today a new version of the OS has been released, Tails 1.1, but experts at Exodus warned with a tweet that despite the distribution has been updated, also its latest version is still vulnerable to the zero-day attacks.

Tails 1_1 vulnerable tweet

On the other side the development team of Tails declared that it is unaware of the zero-day vulnerabilities

“We were not contacted by Exodus Intel prior to their tweet. In fact, a more irritated version of this text was ready when we finally received an email from them. They informed us that they would provide us with a report within a week. We’re told they won’t disclose these vulnerabilities publicly before we have corrected it, and Tails users have had a chance to upgrade. We think that this is the right process to responsibly disclose vulnerabilities, and we’re really looking forward to read this report.” is reported in the post published by the Tails dev team.

Tails team also confirmed that it will deploy some extra features to improve the security of the operating system and protect users’s privacy.

Being fully aware of this kind of threat, we’re continuously working on improving Tails’ security in depth. Among other tasks, we’re working on a tight integration of AppArmor in Tails, kernel and web browser hardening as well as sandboxing, just to name a few examples.” the Tails team added.

The discovery Exodus researcher is the confirmation that any software could be potentially affected by a flaw … and every flaw could be exploited by your enemies.

Pierluigi Paganini

Security Affairs –  (Tails, privacy)