MidnightBSD

Advisories for tinc-vpn

CVE-2013-1428 MEDIUM

Stack-based buffer overflow in the receive_tcppacket function in net_packet.c in tinc before 1.0.21 and 1.1 before 1.1pre7 allows remote authenticated peers to cause a denial of service (crash) or possibly execute arbitrary code via a large TCP packet.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-119,

Products Affected

Vendor Product Version
tinc-vpn tinc 1.0.18
tinc-vpn tinc 1.0.17
tinc-vpn tinc 1.0.19
tinc-vpn tinc 1.1
tinc-vpn tinc *
CVE-2018-16737 MEDIUM

tinc before 1.0.30 has a broken authentication protocol, without even a partial mitigation.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
tinc-vpn tinc *
starwindsoftware starwind_virtual_san v8
CVE-2018-16738 MEDIUM

tinc 1.0.30 through 1.0.34 has a broken authentication protocol, although there is a partial mitigation. This is fixed in 1.1.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 3.7 LOW CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N 2.2 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
tinc-vpn tinc *
starwindsoftware starwind_virtual_san v8
debian debian_linux 9.0
CVE-2018-16758 MEDIUM

Missing message authentication in the meta-protocol in Tinc VPN version 1.0.34 and earlier allows a man-in-the-middle attack to disable the encryption of VPN packets.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.9 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N 2.2 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-306,

Products Affected

Vendor Product Version
tinc-vpn tinc *
starwindsoftware starwind_virtual_san v8
debian debian_linux 9.0