Vulnerabilites related to tailscale - tailscale
Vulnerability from fkie_nvd
Published
2022-11-23 19:15
Modified
2024-11-21 07:24
Severity ?
Summary
A vulnerability identified in the Tailscale Windows client allows a malicious website to reconfigure the Tailscale daemon `tailscaled`, which can then be used to remotely execute code. In the Tailscale Windows client, the local API was bound to a local TCP socket, and communicated with the Windows client GUI in cleartext with no Host header verification. This allowed an attacker-controlled website visited by the node to rebind DNS to an attacker-controlled DNS server, and then make local API requests in the client, including changing the coordination server to an attacker-controlled coordination server. An attacker-controlled coordination server can send malicious URL responses to the client, including pushing executables or installing an SMB share. These allow the attacker to remotely execute code on the node. All Windows clients prior to version v.1.32.3 are affected. If you are running Tailscale on Windows, upgrade to v1.32.3 or later to remediate the issue.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://emily.id.au/tailscale | Exploit, Technical Description, Third Party Advisory | |
| security-advisories@github.com | https://github.com/tailscale/tailscale/security/advisories/GHSA-vqp6-rc3h-83cp | Third Party Advisory | |
| security-advisories@github.com | https://tailscale.com/security-bulletins/#ts-2022-004 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://emily.id.au/tailscale | Exploit, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/tailscale/tailscale/security/advisories/GHSA-vqp6-rc3h-83cp | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://tailscale.com/security-bulletins/#ts-2022-004 | Vendor Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:tailscale:tailscale:*:*:*:*:*:*:*:*", matchCriteriaId: "F2CCEDE3-89FA-4B6C-9BDA-4045A0090908", versionEndExcluding: "1.32.3", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", matchCriteriaId: "A2572D17-1DE6-457B-99CC-64AFD54487EA", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "A vulnerability identified in the Tailscale Windows client allows a malicious website to reconfigure the Tailscale daemon `tailscaled`, which can then be used to remotely execute code. In the Tailscale Windows client, the local API was bound to a local TCP socket, and communicated with the Windows client GUI in cleartext with no Host header verification. This allowed an attacker-controlled website visited by the node to rebind DNS to an attacker-controlled DNS server, and then make local API requests in the client, including changing the coordination server to an attacker-controlled coordination server. An attacker-controlled coordination server can send malicious URL responses to the client, including pushing executables or installing an SMB share. These allow the attacker to remotely execute code on the node. All Windows clients prior to version v.1.32.3 are affected. If you are running Tailscale on Windows, upgrade to v1.32.3 or later to remediate the issue.", }, { lang: "es", value: "Una vulnerabilidad identificada en el cliente Tailscale de Windows permite que un sitio web malicioso reconfigure el daemon Tailscale \"tailscaled\", que luego puede usarse para ejecutar código de forma remota. En el cliente Tailscale de Windows, la API local estaba vinculada a un socket TCP local y se comunicaba con la GUI del cliente de Windows en texto plano sin verificación del encabezado del Host. Esto permitió que un sitio web controlado por un atacante visitado por el nodo volviera a vincular DNS a un servidor DNS controlado por un atacante y luego realizar solicitudes de API locales en el cliente, incluido el cambio del servidor de coordinación a un servidor de coordinación controlado por un atacante. Un servidor de coordinación controlado por un atacante puede enviar respuestas URL maliciosas al cliente, incluida la inserción de ejecutables o la instalación de un recurso compartido SMB. Estos permiten al atacante ejecutar código de forma remota en el nodo. Todos los clientes de Windows anteriores a la versión v.1.32.3 se ven afectados. Si está ejecutando Tailscale en Windows, actualice a la versión 1.32.3 o posterior para solucionar el problema.", }, ], id: "CVE-2022-41924", lastModified: "2024-11-21T07:24:04.797", metrics: { cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:H", version: "3.0", }, exploitabilityScore: 2.8, impactScore: 6, source: "security-advisories@github.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-11-23T19:15:12.400", references: [ { source: "security-advisories@github.com", tags: [ "Exploit", "Technical Description", "Third Party Advisory", ], url: "https://emily.id.au/tailscale", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/tailscale/tailscale/security/advisories/GHSA-vqp6-rc3h-83cp", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://tailscale.com/security-bulletins/#ts-2022-004", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Technical Description", "Third Party Advisory", ], url: "https://emily.id.au/tailscale", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/tailscale/tailscale/security/advisories/GHSA-vqp6-rc3h-83cp", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://tailscale.com/security-bulletins/#ts-2022-004", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-346", }, { lang: "en", value: "CWE-352", }, ], source: "security-advisories@github.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-346", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2022-11-23 19:15
Modified
2024-11-21 07:24
Severity ?
Summary
A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables. In the Tailscale client, the peer API was vulnerable to DNS rebinding. This allowed an attacker-controlled website visited by the node to rebind DNS for the peer API to an attacker-controlled DNS server, and then making peer API requests in the client, including accessing the node’s Tailscale environment variables. An attacker with access to the peer API on a node could use that access to read the node’s environment variables, including any credentials or secrets stored in environment variables. This may include Tailscale authentication keys, which could then be used to add new nodes to the user’s tailnet. The peer API access could also be used to learn of other nodes in the tailnet or send files via Taildrop. All Tailscale clients prior to version v1.32.3 are affected. Upgrade to v1.32.3 or later to remediate the issue.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://emily.id.au/tailscale | Exploit, Technical Description, Third Party Advisory | |
| security-advisories@github.com | https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6 | Third Party Advisory | |
| security-advisories@github.com | https://tailscale.com/security-bulletins/#ts-2022-005 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://emily.id.au/tailscale | Exploit, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://tailscale.com/security-bulletins/#ts-2022-005 | Vendor Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:tailscale:tailscale:*:*:*:*:*:*:*:*", matchCriteriaId: "F2CCEDE3-89FA-4B6C-9BDA-4045A0090908", versionEndExcluding: "1.32.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables. In the Tailscale client, the peer API was vulnerable to DNS rebinding. This allowed an attacker-controlled website visited by the node to rebind DNS for the peer API to an attacker-controlled DNS server, and then making peer API requests in the client, including accessing the node’s Tailscale environment variables. An attacker with access to the peer API on a node could use that access to read the node’s environment variables, including any credentials or secrets stored in environment variables. This may include Tailscale authentication keys, which could then be used to add new nodes to the user’s tailnet. The peer API access could also be used to learn of other nodes in the tailnet or send files via Taildrop. All Tailscale clients prior to version v1.32.3 are affected. Upgrade to v1.32.3 or later to remediate the issue.", }, { lang: "es", value: "Una vulnerabilidad identificada en el cliente Tailscale permite que un sitio web malicioso acceda a la API del mismo nivel, que luego puede usarse para acceder a las variables de entorno de Tailscale. En el cliente Tailscale, la API del mismo nivel era vulnerable a la nueva vinculación de DNS. Esto permitió que un sitio web controlado por un atacante visitado por el nodo volviera a vincular el DNS para la API del mismo nivel a un servidor DNS controlado por el atacante y luego realizar solicitudes de API del mismo nivel en el cliente, incluido el acceso a las variables de entorno Tailscale del nodo. Un atacante con acceso a la API del mismo nivel en un nodo podría usar ese acceso para leer las variables de entorno del nodo, incluidas las credenciales o secretos almacenados en las variables de entorno. Esto puede incluir claves de autenticación de Tailscale, que luego podrían usarse para agregar nuevos nodos a la red trasera del usuario. El acceso a la API de pares también podría usarse para conocer otros nodos en la tailnet o enviar archivos a través de Taildrop. Todos los clientes de Tailscale anteriores a la versión v1.32.3 se ven afectados. Actualice a v1.32.3 o posterior para solucionar el problema.", }, ], id: "CVE-2022-41925", lastModified: "2024-11-21T07:24:04.933", metrics: { cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 3.8, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", version: "3.0", }, exploitabilityScore: 2.1, impactScore: 1.4, source: "security-advisories@github.com", type: "Secondary", }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.1, impactScore: 6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2022-11-23T19:15:12.487", references: [ { source: "security-advisories@github.com", tags: [ "Exploit", "Technical Description", "Third Party Advisory", ], url: "https://emily.id.au/tailscale", }, { source: "security-advisories@github.com", tags: [ "Third Party Advisory", ], url: "https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://tailscale.com/security-bulletins/#ts-2022-005", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Technical Description", "Third Party Advisory", ], url: "https://emily.id.au/tailscale", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://tailscale.com/security-bulletins/#ts-2022-005", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-352", }, ], source: "security-advisories@github.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-03-23 20:15
Modified
2024-11-21 07:55
Severity ?
5.7 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
8.0 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.0 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Tailscale is software for using Wireguard and multi-factor authentication (MFA). A vulnerability identified in the implementation of Tailscale SSH starting in version 1.34.0 and prior to prior to 1.38.2 in FreeBSD allows commands to be run with a higher privilege group ID than that specified in Tailscale SSH access rules. A difference in the behavior of the FreeBSD `setgroups` system call from POSIX meant that the Tailscale client running on a FreeBSD-based operating system did not appropriately restrict groups on the host when using Tailscale SSH. When accessing a FreeBSD host over Tailscale SSH, the egid of the tailscaled process was used instead of that of the user specified in Tailscale SSH access rules.
Tailscale SSH commands may have been run with a higher privilege group ID than that specified in Tailscale SSH access rules if they met all of the following criteria: the destination node was a FreeBSD device with Tailscale SSH enabled; Tailscale SSH access rules permitted access for non-root users; and a non-interactive SSH session was used.
Affected users should upgrade to version 1.38.2 to remediate the issue.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:tailscale:tailscale:*:*:*:*:*:*:*:*", matchCriteriaId: "627EF495-6BE7-4E49-95B1-2F6F67C153EF", versionEndExcluding: "1.38.2", versionStartIncluding: "1.34", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Tailscale is software for using Wireguard and multi-factor authentication (MFA). A vulnerability identified in the implementation of Tailscale SSH starting in version 1.34.0 and prior to prior to 1.38.2 in FreeBSD allows commands to be run with a higher privilege group ID than that specified in Tailscale SSH access rules. A difference in the behavior of the FreeBSD `setgroups` system call from POSIX meant that the Tailscale client running on a FreeBSD-based operating system did not appropriately restrict groups on the host when using Tailscale SSH. When accessing a FreeBSD host over Tailscale SSH, the egid of the tailscaled process was used instead of that of the user specified in Tailscale SSH access rules.\n\nTailscale SSH commands may have been run with a higher privilege group ID than that specified in Tailscale SSH access rules if they met all of the following criteria: the destination node was a FreeBSD device with Tailscale SSH enabled; Tailscale SSH access rules permitted access for non-root users; and a non-interactive SSH session was used.\n\nAffected users should upgrade to version 1.38.2 to remediate the issue.\n\n", }, ], id: "CVE-2023-28436", lastModified: "2024-11-21T07:55:03.773", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 5.7, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 1.2, impactScore: 4, source: "security-advisories@github.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "HIGH", baseScore: 8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.1", }, exploitabilityScore: 2.1, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-03-23T20:15:15.487", references: [ { source: "security-advisories@github.com", tags: [ "Patch", ], url: "https://github.com/tailscale/tailscale/commit/d00c046b723dff6e3775d7d35f891403ac21a47d", }, { source: "security-advisories@github.com", tags: [ "Patch", "Release Notes", ], url: "https://github.com/tailscale/tailscale/releases/tag/v1.38.2", }, { source: "security-advisories@github.com", tags: [ "Mitigation", "Vendor Advisory", ], url: "https://github.com/tailscale/tailscale/security/advisories/GHSA-vfgq-g5x8-g595", }, { source: "security-advisories@github.com", tags: [ "Vendor Advisory", ], url: "https://tailscale.com/security-bulletins/#ts-2023-003", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", ], url: "https://github.com/tailscale/tailscale/commit/d00c046b723dff6e3775d7d35f891403ac21a47d", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Release Notes", ], url: "https://github.com/tailscale/tailscale/releases/tag/v1.38.2", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mitigation", "Vendor Advisory", ], url: "https://github.com/tailscale/tailscale/security/advisories/GHSA-vfgq-g5x8-g595", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://tailscale.com/security-bulletins/#ts-2023-003", }, ], sourceIdentifier: "security-advisories@github.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-269", }, ], source: "security-advisories@github.com", type: "Primary", }, ], }
cve-2022-41924
Vulnerability from cvelistv5
Published
2022-11-23 00:00
Modified
2024-08-03 12:56
Severity ?
EPSS score ?
Summary
A vulnerability identified in the Tailscale Windows client allows a malicious website to reconfigure the Tailscale daemon `tailscaled`, which can then be used to remotely execute code. In the Tailscale Windows client, the local API was bound to a local TCP socket, and communicated with the Windows client GUI in cleartext with no Host header verification. This allowed an attacker-controlled website visited by the node to rebind DNS to an attacker-controlled DNS server, and then make local API requests in the client, including changing the coordination server to an attacker-controlled coordination server. An attacker-controlled coordination server can send malicious URL responses to the client, including pushing executables or installing an SMB share. These allow the attacker to remotely execute code on the node. All Windows clients prior to version v.1.32.3 are affected. If you are running Tailscale on Windows, upgrade to v1.32.3 or later to remediate the issue.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T12:56:38.505Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://emily.id.au/tailscale", }, { tags: [ "x_transferred", ], url: "https://github.com/tailscale/tailscale/security/advisories/GHSA-vqp6-rc3h-83cp", }, { tags: [ "x_transferred", ], url: "https://tailscale.com/security-bulletins/#ts-2022-004", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "tailscale", vendor: "tailscale", versions: [ { status: "affected", version: "< 1.32.3", }, ], }, ], descriptions: [ { lang: "en", value: "A vulnerability identified in the Tailscale Windows client allows a malicious website to reconfigure the Tailscale daemon `tailscaled`, which can then be used to remotely execute code. In the Tailscale Windows client, the local API was bound to a local TCP socket, and communicated with the Windows client GUI in cleartext with no Host header verification. This allowed an attacker-controlled website visited by the node to rebind DNS to an attacker-controlled DNS server, and then make local API requests in the client, including changing the coordination server to an attacker-controlled coordination server. An attacker-controlled coordination server can send malicious URL responses to the client, including pushing executables or installing an SMB share. These allow the attacker to remotely execute code on the node. All Windows clients prior to version v.1.32.3 are affected. If you are running Tailscale on Windows, upgrade to v1.32.3 or later to remediate the issue.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:H", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-346", description: "CWE-346: Origin Validation Error", lang: "en", type: "CWE", }, ], }, { descriptions: [ { cweId: "CWE-352", description: "CWE-352: Cross-Site Request Forgery (CSRF)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-11-23T00:00:00", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { url: "https://emily.id.au/tailscale", }, { url: "https://github.com/tailscale/tailscale/security/advisories/GHSA-vqp6-rc3h-83cp", }, { url: "https://tailscale.com/security-bulletins/#ts-2022-004", }, ], source: { advisory: "GHSA-vqp6-rc3h-83cp", discovery: "UNKNOWN", }, title: "Tailscale Windows daemon is vulnerable to RCE via CSRF", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-41924", datePublished: "2022-11-23T00:00:00", dateReserved: "2022-09-30T00:00:00", dateUpdated: "2024-08-03T12:56:38.505Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-28436
Vulnerability from cvelistv5
Published
2023-03-23 19:27
Modified
2025-02-25 14:50
Severity ?
EPSS score ?
Summary
Tailscale is software for using Wireguard and multi-factor authentication (MFA). A vulnerability identified in the implementation of Tailscale SSH starting in version 1.34.0 and prior to prior to 1.38.2 in FreeBSD allows commands to be run with a higher privilege group ID than that specified in Tailscale SSH access rules. A difference in the behavior of the FreeBSD `setgroups` system call from POSIX meant that the Tailscale client running on a FreeBSD-based operating system did not appropriately restrict groups on the host when using Tailscale SSH. When accessing a FreeBSD host over Tailscale SSH, the egid of the tailscaled process was used instead of that of the user specified in Tailscale SSH access rules.
Tailscale SSH commands may have been run with a higher privilege group ID than that specified in Tailscale SSH access rules if they met all of the following criteria: the destination node was a FreeBSD device with Tailscale SSH enabled; Tailscale SSH access rules permitted access for non-root users; and a non-interactive SSH session was used.
Affected users should upgrade to version 1.38.2 to remediate the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/tailscale/tailscale/security/advisories/GHSA-vfgq-g5x8-g595 | x_refsource_CONFIRM | |
| https://github.com/tailscale/tailscale/commit/d00c046b723dff6e3775d7d35f891403ac21a47d | x_refsource_MISC | |
| https://github.com/tailscale/tailscale/releases/tag/v1.38.2 | x_refsource_MISC | |
| https://tailscale.com/security-bulletins/#ts-2023-003 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T12:38:25.336Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "https://github.com/tailscale/tailscale/security/advisories/GHSA-vfgq-g5x8-g595", tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://github.com/tailscale/tailscale/security/advisories/GHSA-vfgq-g5x8-g595", }, { name: "https://github.com/tailscale/tailscale/commit/d00c046b723dff6e3775d7d35f891403ac21a47d", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/tailscale/tailscale/commit/d00c046b723dff6e3775d7d35f891403ac21a47d", }, { name: "https://github.com/tailscale/tailscale/releases/tag/v1.38.2", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/tailscale/tailscale/releases/tag/v1.38.2", }, { name: "https://tailscale.com/security-bulletins/#ts-2023-003", tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://tailscale.com/security-bulletins/#ts-2023-003", }, ], title: "CVE Program Container", }, { metrics: [ { other: { content: { id: "CVE-2023-28436", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-25T14:28:14.011420Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-25T14:50:44.790Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "tailscale", vendor: "tailscale", versions: [ { status: "affected", version: ">= 1.34.0, < 1.38.2", }, ], }, ], descriptions: [ { lang: "en", value: "Tailscale is software for using Wireguard and multi-factor authentication (MFA). A vulnerability identified in the implementation of Tailscale SSH starting in version 1.34.0 and prior to prior to 1.38.2 in FreeBSD allows commands to be run with a higher privilege group ID than that specified in Tailscale SSH access rules. A difference in the behavior of the FreeBSD `setgroups` system call from POSIX meant that the Tailscale client running on a FreeBSD-based operating system did not appropriately restrict groups on the host when using Tailscale SSH. When accessing a FreeBSD host over Tailscale SSH, the egid of the tailscaled process was used instead of that of the user specified in Tailscale SSH access rules.\n\nTailscale SSH commands may have been run with a higher privilege group ID than that specified in Tailscale SSH access rules if they met all of the following criteria: the destination node was a FreeBSD device with Tailscale SSH enabled; Tailscale SSH access rules permitted access for non-root users; and a non-interactive SSH session was used.\n\nAffected users should upgrade to version 1.38.2 to remediate the issue.\n\n", }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 5.7, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "HIGH", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-269", description: "CWE-269: Improper Privilege Management", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-03-23T19:27:48.051Z", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { name: "https://github.com/tailscale/tailscale/security/advisories/GHSA-vfgq-g5x8-g595", tags: [ "x_refsource_CONFIRM", ], url: "https://github.com/tailscale/tailscale/security/advisories/GHSA-vfgq-g5x8-g595", }, { name: "https://github.com/tailscale/tailscale/commit/d00c046b723dff6e3775d7d35f891403ac21a47d", tags: [ "x_refsource_MISC", ], url: "https://github.com/tailscale/tailscale/commit/d00c046b723dff6e3775d7d35f891403ac21a47d", }, { name: "https://github.com/tailscale/tailscale/releases/tag/v1.38.2", tags: [ "x_refsource_MISC", ], url: "https://github.com/tailscale/tailscale/releases/tag/v1.38.2", }, { name: "https://tailscale.com/security-bulletins/#ts-2023-003", tags: [ "x_refsource_MISC", ], url: "https://tailscale.com/security-bulletins/#ts-2023-003", }, ], source: { advisory: "GHSA-vfgq-g5x8-g595", discovery: "UNKNOWN", }, title: "Non-interactive Tailscale SSH sessions on FreeBSD may use the effective group ID of the tailscaled process", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2023-28436", datePublished: "2023-03-23T19:27:48.051Z", dateReserved: "2023-03-15T15:59:10.053Z", dateUpdated: "2025-02-25T14:50:44.790Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-41925
Vulnerability from cvelistv5
Published
2022-11-23 00:00
Modified
2024-08-03 12:56
Severity ?
EPSS score ?
Summary
A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables. In the Tailscale client, the peer API was vulnerable to DNS rebinding. This allowed an attacker-controlled website visited by the node to rebind DNS for the peer API to an attacker-controlled DNS server, and then making peer API requests in the client, including accessing the node’s Tailscale environment variables. An attacker with access to the peer API on a node could use that access to read the node’s environment variables, including any credentials or secrets stored in environment variables. This may include Tailscale authentication keys, which could then be used to add new nodes to the user’s tailnet. The peer API access could also be used to learn of other nodes in the tailnet or send files via Taildrop. All Tailscale clients prior to version v1.32.3 are affected. Upgrade to v1.32.3 or later to remediate the issue.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T12:56:38.535Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6", }, { tags: [ "x_transferred", ], url: "https://emily.id.au/tailscale", }, { tags: [ "x_transferred", ], url: "https://tailscale.com/security-bulletins/#ts-2022-005", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "tailscale", vendor: "tailscale", versions: [ { status: "affected", version: "< 1.32.3", }, ], }, ], descriptions: [ { lang: "en", value: "A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables. In the Tailscale client, the peer API was vulnerable to DNS rebinding. This allowed an attacker-controlled website visited by the node to rebind DNS for the peer API to an attacker-controlled DNS server, and then making peer API requests in the client, including accessing the node’s Tailscale environment variables. An attacker with access to the peer API on a node could use that access to read the node’s environment variables, including any credentials or secrets stored in environment variables. This may include Tailscale authentication keys, which could then be used to add new nodes to the user’s tailnet. The peer API access could also be used to learn of other nodes in the tailnet or send files via Taildrop. All Tailscale clients prior to version v1.32.3 are affected. Upgrade to v1.32.3 or later to remediate the issue.", }, ], metrics: [ { cvssV3_0: { attackComplexity: "LOW", attackVector: "ADJACENT_NETWORK", availabilityImpact: "NONE", baseScore: 3.8, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", version: "3.0", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-352", description: "CWE-352: Cross-Site Request Forgery (CSRF)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2022-11-23T00:00:00", orgId: "a0819718-46f1-4df5-94e2-005712e83aaa", shortName: "GitHub_M", }, references: [ { url: "https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6", }, { url: "https://emily.id.au/tailscale", }, { url: "https://tailscale.com/security-bulletins/#ts-2022-005", }, ], source: { advisory: "GHSA-qccm-wmcq-pwr6", discovery: "UNKNOWN", }, title: "Tailscale daemon is vulnerable to information disclosure via CSRF", }, }, cveMetadata: { assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa", assignerShortName: "GitHub_M", cveId: "CVE-2022-41925", datePublished: "2022-11-23T00:00:00", dateReserved: "2022-09-30T00:00:00", dateUpdated: "2024-08-03T12:56:38.535Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }