Description
Missing message authentication in the meta-protocol in Tinc VPN version 1.0.34 and earlier allows a man-in-the-middle attack to disable the encryption of VPN packets.
References (4)
Core 4
Core References
Various Sources
http://www.tinc-vpn.org/git/browse?p=tinc%3Ba=commit%3Bh=e97943b7cc9c851ae36f5a41e2b6102faa74193f
Vendor Advisory
http://tinc-vpn.org/security/
Third Party Advisory
https://www.starwindsoftware.com/security/sw-20190227-0003/
Third Party Advisory vendor-advisory
https://www.debian.org/security/2018/dsa-4312
Scores
CVSS v3
5.9
EPSS
0.0095
EPSS Percentile
56.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-306
Status
published
Products (3)
debian/debian_linux
9.0
starwindsoftware/starwind_virtual_san
v8 build12533 (2 CPE variants)
tinc-vpn/tinc
< 1.0.34
Published
Oct 10, 2018
Tracked Since
Feb 18, 2026