SB2018100939 - Missing Authentication for Critical Function in tinc (Alpine package)
Published: October 9, 2018
Security Bulletin ID
SB2018100939
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Missing Authentication for Critical Function (CVE-ID: CVE-2018-16758)
CWE-ID: CWE-306 - Missing Authentication for Critical Function
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Missing message authentication in the meta-protocol in Tinc VPN version 1.0.34 and earlier allows a man-in-the-middle attack to disable the encryption of VPN packets.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=a81e84b56a240e3ca575ba9d0aca7f3fedb518d0
- https://git.alpinelinux.org/aports/commit/?id=4bae97cf753480617c190b18324ad04d705294b6
- https://git.alpinelinux.org/aports/commit/?id=4d5a8dd7fdeb7671773360ec78521fd9557ababf
- https://git.alpinelinux.org/aports/commit/?id=28150adaf85ebb64ea4668c5fa3e5658e46058e7