Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 669476 (CVE-2018-16737, CVE-2018-16738, CVE-2018-16758) - <net-vpn/tinc-{1.0.35-r2, 1.1_pre17}: Multiple Vulnerabilities
Summary: <net-vpn/tinc-{1.0.35-r2, 1.1_pre17}: Multiple Vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2018-16737, CVE-2018-16738, CVE-2018-16758
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-10-24 06:03 UTC by Pavol Cupka
Modified: 2019-04-28 02:45 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Pavol Cupka 2018-10-24 06:03:26 UTC 
CVE-2018-16738: Michael Yonli discoverd that tinc versions 1.0.30 to 1.0.34 allow an oracle attack, similar to CVE-2018-16737, but due to the mitigations put in place for the Sweet32 attack in tinc 1.0.30, it now requires a timing attack that has only a limited time to complete. Tinc 1.1pre16 and earlier are also affected if there are nodes on the same VPN that still use the legacy protocol from tinc version 1.0.x.

https://www.tinc-vpn.org/security/

Reproducible: Always

Steps to Reproduce:
1. please see 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16738



Versions 1.0.35 and 1.1pre17 released.

    Prevent oracle attacks (CVE-2018-16737, CVE-2018-16738).
    Prevent a MITM from forcing a NULL cipher for UDP (CVE-2018-16758).
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2019-04-27 05:46:10 UTC 
CVE-2018-16738: Michael Yonli discoverd that tinc versions 1.0.30 to 1.0.34 allow an oracle attack, similar to CVE-2018-16737, but due to the mitigations put in place for the Sweet32 attack in tinc 1.0.30, it now requires a timing attack that has only a limited time to complete. Tinc 1.1pre16 and earlier are also affected if there are nodes on the same VPN that still use the legacy protocol from tinc version 1.0.x.

CVE-2018-16737: Michael Yonly discovered that tinc 1.0.29 and earlier allow an oracle attack that could allow a remote attacker to establish one-way communication with a tinc node, allowing it to send fake control messages and inject packets into the VPN. The attack takes only a few seconds to complete. Tinc 1.1pre14 and earlier allow the same attack if they are configured to allow connections from nodes using the legacy 1.0.x
Comment 2 Yury German Gentoo Infrastructure gentoo-dev 2019-04-27 05:52:26 UTC 
Maintainers, please advise if current version in tree has the fixes for these vulnerabilities, so we can close the bug.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2019-04-27 14:44:58 UTC 
Release notes:

https://www.tinc-vpn.org/download/
Comment 4 Yixun Lan archtester gentoo-dev 2019-04-28 02:45:40 UTC 
(In reply to Yury German from comment #2)
> Maintainers, please advise if current version in tree has the fixes for
> these vulnerabilities, so we can close the bug.

yes, all current versions in tree (1.0.35-r2 and 1.1_pre17) include the fixes,
so we can close this bug safely, thanks for poking this ..