J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: tinc VPN Replay Attack Vulnerability

Severity: MODERATE

Description:

tinc is a Virtual Private Network (VPN) daemon designed for Linux and Unix based systems. It acts as a tunnel for a network interface, and embeds all communication into a sequence of encrypted UDP packets. This allows private network communication to occur through a larger network. tinc uses blowfish in cipher block chaining (CBC) mode to encrypt packets. The secret key is shared via a PKI-style handshake during the authentication process between two tinc daemons.

Any CBC cipher has a self correcting property. As decryption of a block is based only on the key and the previous block of ciphertext, any errors (or malicious discrepencies) in the cipher stream can not have an adverse affect on blocks more than one step forward in the stream.

An attacker may in general replace part of an encrypted stream with data from a different stream encrypted with the same key. While the initial block of the inserted data will decrypt incorrectly, the remainder will result in the correct plaintext. This is a form of replay attack, and has been documented at length in more general contexts.

Within the context of tinc, an attacker may be able to take advantage of knowledge about the structure of network traffic. If an attacker is aware that two packets will have similar payloads, he may substitute one for the other through a man in the middle attack. Although the actual payload information will not be known, the substitution may still appear to be valid data, possibly subverting the communication.

While some protocols such as TCP have additional facilities to detect and prevent this, other applications may be vulnerable. For example, a UDP based communication could easily be subjected to this sort of attack. The actual effectiveness will probably be highly application dependant. Successful exploitation of this vulnerability may result in extremely subtle compromises in communication.

In order to exploit this vulnerability, the attacker must be able to modify network traffic. A man in the middle attack may be difficult, as tinc includes support for secure authentication between tinc daemons.

This vulnerability may be aggravated by BID 3836, which grants a limited ability to detect traffic patterns in tinc encrypted communication:

http://www.securityfocus.com/bid/3836

Affected Products:

  • tinc tinc 1.0.0pre3
  • tinc tinc 1.0.0pre4

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.