Main Vulnerability Database SB2018121829

SB2018121829 - Fedora 28 update for tinc

Published: December 18, 2018 Updated: April 24, 2025

Security Bulletin ID SB2018121829

Severity

Medium

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper Authentication (CVE-ID: CVE-2018-16737)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

tinc before 1.0.30 has a broken authentication protocol, without even a partial mitigation.

2) Improper Authentication (CVE-ID: CVE-2018-16738)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

tinc 1.0.30 through 1.0.34 has a broken authentication protocol, although there is a partial mitigation. This is fixed in 1.1.

3) Missing Authentication for Critical Function (CVE-ID: CVE-2018-16758)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Missing message authentication in the meta-protocol in Tinc VPN version 1.0.34 and earlier allows a man-in-the-middle attack to disable the encryption of VPN packets.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-2018-31c2a0b2ea