OpenCVE

Missing message authentication in the meta-protocol in Tinc VPN version 1.0.34 and earlier allows a man-in-the-middle attack to disable the encryption of VPN packets.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Debian	Debian Linux
Starwindsoftware	Starwind Virtual San
Tinc-vpn	Tinc

Configuration 1 [-]

cpe:2.3:a:tinc-vpn:tinc:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 3 [-]

OR	cpe:2.3:a:starwindsoftware:starwind_virtual_san:v8:build12533::::vsphere::*
	cpe:2.3:a:starwindsoftware:starwind_virtual_san:v8:build12658::::vsphere::*

No data.

References

Link	Providers
http://tinc-vpn.org/security/
http://www.tinc-vpn.org/git/browse?p=tinc%3Ba=commit%3Bh=e97943b7cc9c851ae36f5a41e2b6102faa74193f
https://www.debian.org/security/2018/dsa-4312
https://www.starwindsoftware.com/security/sw-20190227-0003/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-10-10T00:00:00

Updated: 2024-08-05T10:32:53.975Z

Reserved: 2018-09-09T00:00:00

Link: CVE-2018-16758

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-10-10T21:29:02.103

Modified: 2024-11-21T03:53:17.657

Link: CVE-2018-16758

Redhat

No data.

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tinc-vpn:tinc:*:*:*:*:*:*:*:*", "matchCriteriaId": "C9D1A7EF-6097-4C0A-8A2D-A7311F254FFF", "versionEndIncluding": "1.0.34", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:starwindsoftware:starwind_virtual_san:v8:build12533:*:*:*:vsphere:*:*", "matchCriteriaId": "0E5C2815-65C8-48D7-BF31-6104EDD0CBE5", "vulnerable": true}, {"criteria": "cpe:2.3:a:starwindsoftware:starwind_virtual_san:v8:build12658:*:*:*:vsphere:*:*", "matchCriteriaId": "6FF4A265-AFFD-4853-B3CE-A55E950E8B5B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Missing message authentication in the meta-protocol in Tinc VPN version 1.0.34 and earlier allows a man-in-the-middle attack to disable the encryption of VPN packets."}, {"lang": "es", "value": "La falta de autenticaci\u00f3n de mensajes en el protocolo meta en Tinc VPN en versiones 1.0.34 y anteriores permite que un ataque Man-in-the-Middle (MitM) deshabilite el cifrado de paquetes VPN."}], "id": "CVE-2018-16758", "lastModified": "2024-11-21T03:53:17.657", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-10-10T21:29:02.103", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "http://tinc-vpn.org/security/"}, {"source": "cve@mitre.org", "url": "http://www.tinc-vpn.org/git/browse?p=tinc%3Ba=commit%3Bh=e97943b7cc9c851ae36f5a41e2b6102faa74193f"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2018/dsa-4312"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.starwindsoftware.com/security/sw-20190227-0003/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://tinc-vpn.org/security/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.tinc-vpn.org/git/browse?p=tinc%3Ba=commit%3Bh=e97943b7cc9c851ae36f5a41e2b6102faa74193f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2018/dsa-4312"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.starwindsoftware.com/security/sw-20190227-0003/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}]}