tinc SECURITY INFORMATION - Unauthorized access to VPN
Ivo Timmermans
zarq at spark.icicle.yi.org
Sun Sep 10 16:35:01 CEST 2000
Although we (the authors of tinc) have done our best to make tinc as
secure as possible, an unfortunate combination of encryption and key
exchange techniques has created a hole in at least all versions of
tinc >= 0.3, including the current CVS version.
Exploit:
If somebody can intercept the meta protocol to a host that is running
a tinc daemon, it is possible to decrypt the passphrase, which can
then be used to gain unauthorized access to the VPN, and become a part
of it.
Workaround:
Add firewall rules so that only trusted hosts can connect to the tinc
daemon.
Fix:
We are currently working on the implementation of a new protocol, with
a different authentication scheme. We expect to have a working
version in CVS around next weekend, we will release a new version
(1.0pre3) when this becomes stable.
Guus Sliepen
Ivo Timmermans
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://brouwer.uvt.nl/pipermail/tinc/attachments/20000910/7afc8968/attachment.pgp
More information about the Tinc
mailing list