CVE-2018-10066

{"id": "CVE-2018-10066", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2018-04-13T13:29:00.487", "references": [{"url": "https://janis-streib.de/2018/04/11/mikrotik-openvpn-security", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://janis-streib.de/2018/04/11/mikrotik-openvpn-security", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in MikroTik RouterOS 6.41.4. Missing OpenVPN server certificate verification allows a remote unauthenticated attacker capable of intercepting client traffic to act as a malicious OpenVPN server. This may allow the attacker to gain access to the client's internal network (for example, at site-to-site tunnels)."}, {"lang": "es", "value": "Se ha descubierto un problema en MikroTik RouterOS 6.41.4. La falta de verificaci\u00f3n de certificados del servidor OpenVPN permite que un atacante remoto no autenticado intercepte el tr\u00e1fico del cliente para actuar como un servidor OpenVPN malicioso. Esto podr\u00eda permitir que el atacante obtenga acceso a la red interna del cliente (por ejemplo, en t\u00faneles site-to-site)."}], "lastModified": "2024-11-21T03:40:45.143", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mikrotik:routeros:6.41.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7DDA40BC-3E41-422D-BB2A-FE3AFCE2ECFB"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}