#VU33042 Missing Authentication for Critical Function - CVE-2018-16758

Cybersecurity Help s.r.o.

Published: 2018-10-10 | Updated: 2020-08-03

Vulnerability identifier: #VU33042

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2018-16758

CWE-ID: CWE-306

Exploitation vector: Network

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Missing message authentication in the meta-protocol in Tinc VPN version 1.0.34 and earlier allows a man-in-the-middle attack to disable the encryption of VPN packets.

Mitigation
Install update from vendor's website.

External links
https://tinc-vpn.org/security/
https://www.tinc-vpn.org/git/browse?p=tinc;a=commit;h=e97943b7cc9c851ae36f5a41e2b6102faa74193f
https://www.debian.org/security/2018/dsa-4312

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Fedora 28 update for tinc

Fedora 29 update for tinc

Fedora EPEL 7 update for tinc

Missing Authentication for Critical Function in tinc (Alpine package)