ID CVE-2018-16758
Summary Missing message authentication in the meta-protocol in Tinc VPN version 1.0.34 and earlier allows a man-in-the-middle attack to disable the encryption of VPN packets.
References
Vulnerable Configurations
CVSS
Base: None
Impact:
Exploitability:
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4312.NASL
    description Several vulnerabilities were discovered in tinc, a Virtual Private Network (VPN) daemon. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2018-16738 Michael Yonli discovered a flaw in the implementation of the authentication protocol that could allow a remote attacker to establish an authenticated, one-way connection with another node. - CVE-2018-16758 Michael Yonli discovered that a man-in-the-middle that has intercepted a TCP connection might be able to disable encryption of UDP packets sent by a node.
    last seen 2018-11-14
    modified 2018-11-13
    plugin id 117958
    published 2018-10-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117958
    title Debian DSA-4312-1 : tinc - security update
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_A4EB38EACC0611E8ADA4408D5CF35399.NASL
    description tinc-vpn.org reports : The authentication protocol allows an oracle attack that could potentially be exploited. If a man-in-the-middle has intercepted the TCP connection it might be able to force plaintext UDP packets between two nodes for up to a PingInterval period.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 118024
    published 2018-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118024
    title FreeBSD : tinc -- Buffer overflow (a4eb38ea-cc06-11e8-ada4-408d5cf35399)
refmap via4
confirm
debian DSA-4312
Last major update 10-10-2018 - 17:29
Published 10-10-2018 - 17:29
Last modified 10-10-2018 - 17:29
Back to Top