X-Git-Url: https://tinc-vpn.org/git/browse?p=wiki;a=blobdiff_plain;f=security.mdwn;h=aa05ea3cf998506847d14d67df6eb4d1ab2e09ec;hp=91c56478550581f6e2f82b9de047e01c35ec0422;hb=fa4c1b3599ae5192b205149a2b2f565c6cff6732;hpb=c17a279695469a072028fdcef8967a911bf1128e diff --git a/security.mdwn b/security.mdwn index 91c5647..aa05ea3 100644 --- a/security.mdwn +++ b/security.mdwn @@ -1,9 +1,30 @@ +## Reporting security issues + +In case you have found a security issue in tinc, please report it via email +to Guus Sliepen , preferrably PGP encrypted. +We will then try to get a CVE number assigned, and coordinate a bugfix release with major Linux distributions. + +## Security advisories + +The following list contains advisories for security issues in tinc in old versions: + +- [CVE-2013-1428](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1428), + [DSA-2663](https://www.debian.org/security/2013/dsa-2663), + [Sitsec advisory](http://sitsec.net/blog/2013/04/22/stack-based-buffer-overflow-in-the-vpn-software-tinc-for-authenticated-peers): + stack based buffer overflow + +- [CVE-2002-1755](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1755): + tinc 1.0pre3 and 1.0pre4 VPN do not authenticate forwarded packets, which allows remote attackers to inject data into user sessions without detection, and possibly control the data contents via cut-and-paste attacks on CBC. + +- [CVE-2001-1505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1505): + tinc 1.0pre3 and 1.0pre4 allow remote attackers to inject data into user sessions by sniffing and replaying packets. + ## Possible weak keys generated by tinc on Debian (and derivates) due to a security bug in Debian's OpenSSL packages For those who run tinc on Debian or Debian-based distributions like Ubuntu and Knoppix, be advised that the following security issue affects tinc as well: -[http://www.debian.org/security/2008/dsa-1571](http://www.debian.org/security/2008/dsa-1571) +[https://www.debian.org/security/2008/dsa-1571](https://www.debian.org/security/2008/dsa-1571) In short, if you generated public/private keypairs for tinc between 2006 and May 7th, 2008 on a machine running Debian or a derivative, they may have been generated without a properly seeded random @@ -22,7 +43,7 @@ well. Regenerate any keying material that you have exchanged via your tinc VPN if any of the nodes was running on an affected platform. -## Security issues in tinc +## Known security issues in tinc 1.0.x Although tinc uses the OpenSSL library, it does not use the SSL protocol to establish connections between daemons. The reasons for this were: @@ -37,10 +58,8 @@ René Korthaus, Andreas Hübner, Felix Stein and Wladimir Paulsen have also look and have provided a more in-depth analysis of the most critical weaknesses. In the interest of full disclosure we will list the known weaknesses below. -For tinc 2.0 and later we will use a standard protocol like SSH or TLS to perform authentication. -For the encapsulated packets, we will consider protocols like DTLS, but due to the specific needs of a peer-to-peer VPN, -we might also keep our own protocol, but update it to current security standards. -We might also release an interim version that just fixes the vulnerabilities in tinc 1.x in the near future. +Tinc 1.1pre3 and later will use a new protocol that fixes all these issues, +and that is similar to (D)TLS with a strong cipher suite. ### Predictable IV