Vulnerabilites related to tailscale - tailscale
CVE-2023-28436 (GCVE-0-2023-28436)
Vulnerability from cvelistv5
Published
2023-03-23 19:27
Modified
2025-02-25 14:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
Tailscale is software for using Wireguard and multi-factor authentication (MFA). A vulnerability identified in the implementation of Tailscale SSH starting in version 1.34.0 and prior to prior to 1.38.2 in FreeBSD allows commands to be run with a higher privilege group ID than that specified in Tailscale SSH access rules. A difference in the behavior of the FreeBSD `setgroups` system call from POSIX meant that the Tailscale client running on a FreeBSD-based operating system did not appropriately restrict groups on the host when using Tailscale SSH. When accessing a FreeBSD host over Tailscale SSH, the egid of the tailscaled process was used instead of that of the user specified in Tailscale SSH access rules.
Tailscale SSH commands may have been run with a higher privilege group ID than that specified in Tailscale SSH access rules if they met all of the following criteria: the destination node was a FreeBSD device with Tailscale SSH enabled; Tailscale SSH access rules permitted access for non-root users; and a non-interactive SSH session was used.
Affected users should upgrade to version 1.38.2 to remediate the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/tailscale/tailscale/security/advisories/GHSA-vfgq-g5x8-g595 | x_refsource_CONFIRM | |
| https://github.com/tailscale/tailscale/commit/d00c046b723dff6e3775d7d35f891403ac21a47d | x_refsource_MISC | |
| https://github.com/tailscale/tailscale/releases/tag/v1.38.2 | x_refsource_MISC | |
| https://tailscale.com/security-bulletins/#ts-2023-003 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T12:38:25.336Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/tailscale/tailscale/security/advisories/GHSA-vfgq-g5x8-g595",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/tailscale/tailscale/security/advisories/GHSA-vfgq-g5x8-g595"
},
{
"name": "https://github.com/tailscale/tailscale/commit/d00c046b723dff6e3775d7d35f891403ac21a47d",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tailscale/tailscale/commit/d00c046b723dff6e3775d7d35f891403ac21a47d"
},
{
"name": "https://github.com/tailscale/tailscale/releases/tag/v1.38.2",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tailscale/tailscale/releases/tag/v1.38.2"
},
{
"name": "https://tailscale.com/security-bulletins/#ts-2023-003",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://tailscale.com/security-bulletins/#ts-2023-003"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28436",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:28:14.011420Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:50:44.790Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tailscale",
"vendor": "tailscale",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.34.0, \u003c 1.38.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tailscale is software for using Wireguard and multi-factor authentication (MFA). A vulnerability identified in the implementation of Tailscale SSH starting in version 1.34.0 and prior to prior to 1.38.2 in FreeBSD allows commands to be run with a higher privilege group ID than that specified in Tailscale SSH access rules. A difference in the behavior of the FreeBSD `setgroups` system call from POSIX meant that the Tailscale client running on a FreeBSD-based operating system did not appropriately restrict groups on the host when using Tailscale SSH. When accessing a FreeBSD host over Tailscale SSH, the egid of the tailscaled process was used instead of that of the user specified in Tailscale SSH access rules.\n\nTailscale SSH commands may have been run with a higher privilege group ID than that specified in Tailscale SSH access rules if they met all of the following criteria: the destination node was a FreeBSD device with Tailscale SSH enabled; Tailscale SSH access rules permitted access for non-root users; and a non-interactive SSH session was used.\n\nAffected users should upgrade to version 1.38.2 to remediate the issue.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-03-23T19:27:48.051Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/tailscale/tailscale/security/advisories/GHSA-vfgq-g5x8-g595",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/tailscale/tailscale/security/advisories/GHSA-vfgq-g5x8-g595"
},
{
"name": "https://github.com/tailscale/tailscale/commit/d00c046b723dff6e3775d7d35f891403ac21a47d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tailscale/tailscale/commit/d00c046b723dff6e3775d7d35f891403ac21a47d"
},
{
"name": "https://github.com/tailscale/tailscale/releases/tag/v1.38.2",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tailscale/tailscale/releases/tag/v1.38.2"
},
{
"name": "https://tailscale.com/security-bulletins/#ts-2023-003",
"tags": [
"x_refsource_MISC"
],
"url": "https://tailscale.com/security-bulletins/#ts-2023-003"
}
],
"source": {
"advisory": "GHSA-vfgq-g5x8-g595",
"discovery": "UNKNOWN"
},
"title": "Non-interactive Tailscale SSH sessions on FreeBSD may use the effective group ID of the tailscaled process"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-28436",
"datePublished": "2023-03-23T19:27:48.051Z",
"dateReserved": "2023-03-15T15:59:10.053Z",
"dateUpdated": "2025-02-25T14:50:44.790Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41924 (GCVE-0-2022-41924)
Vulnerability from cvelistv5
Published
2022-11-23 00:00
Modified
2025-04-22 16:01
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A vulnerability identified in the Tailscale Windows client allows a malicious website to reconfigure the Tailscale daemon `tailscaled`, which can then be used to remotely execute code. In the Tailscale Windows client, the local API was bound to a local TCP socket, and communicated with the Windows client GUI in cleartext with no Host header verification. This allowed an attacker-controlled website visited by the node to rebind DNS to an attacker-controlled DNS server, and then make local API requests in the client, including changing the coordination server to an attacker-controlled coordination server. An attacker-controlled coordination server can send malicious URL responses to the client, including pushing executables or installing an SMB share. These allow the attacker to remotely execute code on the node. All Windows clients prior to version v.1.32.3 are affected. If you are running Tailscale on Windows, upgrade to v1.32.3 or later to remediate the issue.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:38.505Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://emily.id.au/tailscale"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/tailscale/tailscale/security/advisories/GHSA-vqp6-rc3h-83cp"
},
{
"tags": [
"x_transferred"
],
"url": "https://tailscale.com/security-bulletins/#ts-2022-004"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41924",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:41:17.008228Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T16:01:49.755Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tailscale",
"vendor": "tailscale",
"versions": [
{
"status": "affected",
"version": "\u003c 1.32.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability identified in the Tailscale Windows client allows a malicious website to reconfigure the Tailscale daemon `tailscaled`, which can then be used to remotely execute code. In the Tailscale Windows client, the local API was bound to a local TCP socket, and communicated with the Windows client GUI in cleartext with no Host header verification. This allowed an attacker-controlled website visited by the node to rebind DNS to an attacker-controlled DNS server, and then make local API requests in the client, including changing the coordination server to an attacker-controlled coordination server. An attacker-controlled coordination server can send malicious URL responses to the client, including pushing executables or installing an SMB share. These allow the attacker to remotely execute code on the node. All Windows clients prior to version v.1.32.3 are affected. If you are running Tailscale on Windows, upgrade to v1.32.3 or later to remediate the issue."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-23T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://emily.id.au/tailscale"
},
{
"url": "https://github.com/tailscale/tailscale/security/advisories/GHSA-vqp6-rc3h-83cp"
},
{
"url": "https://tailscale.com/security-bulletins/#ts-2022-004"
}
],
"source": {
"advisory": "GHSA-vqp6-rc3h-83cp",
"discovery": "UNKNOWN"
},
"title": "Tailscale Windows daemon is vulnerable to RCE via CSRF"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-41924",
"datePublished": "2022-11-23T00:00:00.000Z",
"dateReserved": "2022-09-30T00:00:00.000Z",
"dateUpdated": "2025-04-22T16:01:49.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41925 (GCVE-0-2022-41925)
Vulnerability from cvelistv5
Published
2022-11-23 00:00
Modified
2025-04-22 16:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables. In the Tailscale client, the peer API was vulnerable to DNS rebinding. This allowed an attacker-controlled website visited by the node to rebind DNS for the peer API to an attacker-controlled DNS server, and then making peer API requests in the client, including accessing the node’s Tailscale environment variables. An attacker with access to the peer API on a node could use that access to read the node’s environment variables, including any credentials or secrets stored in environment variables. This may include Tailscale authentication keys, which could then be used to add new nodes to the user’s tailnet. The peer API access could also be used to learn of other nodes in the tailnet or send files via Taildrop. All Tailscale clients prior to version v1.32.3 are affected. Upgrade to v1.32.3 or later to remediate the issue.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:38.535Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6"
},
{
"tags": [
"x_transferred"
],
"url": "https://emily.id.au/tailscale"
},
{
"tags": [
"x_transferred"
],
"url": "https://tailscale.com/security-bulletins/#ts-2022-005"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41925",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:41:13.012397Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T16:01:34.072Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "tailscale",
"vendor": "tailscale",
"versions": [
{
"status": "affected",
"version": "\u003c 1.32.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables. In the Tailscale client, the peer API was vulnerable to DNS rebinding. This allowed an attacker-controlled website visited by the node to rebind DNS for the peer API to an attacker-controlled DNS server, and then making peer API requests in the client, including accessing the node\u2019s Tailscale environment variables. An attacker with access to the peer API on a node could use that access to read the node\u2019s environment variables, including any credentials or secrets stored in environment variables. This may include Tailscale authentication keys, which could then be used to add new nodes to the user\u2019s tailnet. The peer API access could also be used to learn of other nodes in the tailnet or send files via Taildrop. All Tailscale clients prior to version v1.32.3 are affected. Upgrade to v1.32.3 or later to remediate the issue."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-23T00:00:00.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6"
},
{
"url": "https://emily.id.au/tailscale"
},
{
"url": "https://tailscale.com/security-bulletins/#ts-2022-005"
}
],
"source": {
"advisory": "GHSA-qccm-wmcq-pwr6",
"discovery": "UNKNOWN"
},
"title": "Tailscale daemon is vulnerable to information disclosure via CSRF"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-41925",
"datePublished": "2022-11-23T00:00:00.000Z",
"dateReserved": "2022-09-30T00:00:00.000Z",
"dateUpdated": "2025-04-22T16:01:34.072Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2023-03-23 20:15
Modified
2024-11-21 07:55
Severity ?
5.7 (Medium) - CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N
8.0 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.0 (High) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Tailscale is software for using Wireguard and multi-factor authentication (MFA). A vulnerability identified in the implementation of Tailscale SSH starting in version 1.34.0 and prior to prior to 1.38.2 in FreeBSD allows commands to be run with a higher privilege group ID than that specified in Tailscale SSH access rules. A difference in the behavior of the FreeBSD `setgroups` system call from POSIX meant that the Tailscale client running on a FreeBSD-based operating system did not appropriately restrict groups on the host when using Tailscale SSH. When accessing a FreeBSD host over Tailscale SSH, the egid of the tailscaled process was used instead of that of the user specified in Tailscale SSH access rules.
Tailscale SSH commands may have been run with a higher privilege group ID than that specified in Tailscale SSH access rules if they met all of the following criteria: the destination node was a FreeBSD device with Tailscale SSH enabled; Tailscale SSH access rules permitted access for non-root users; and a non-interactive SSH session was used.
Affected users should upgrade to version 1.38.2 to remediate the issue.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tailscale:tailscale:*:*:*:*:*:*:*:*",
"matchCriteriaId": "627EF495-6BE7-4E49-95B1-2F6F67C153EF",
"versionEndExcluding": "1.38.2",
"versionStartIncluding": "1.34",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Tailscale is software for using Wireguard and multi-factor authentication (MFA). A vulnerability identified in the implementation of Tailscale SSH starting in version 1.34.0 and prior to prior to 1.38.2 in FreeBSD allows commands to be run with a higher privilege group ID than that specified in Tailscale SSH access rules. A difference in the behavior of the FreeBSD `setgroups` system call from POSIX meant that the Tailscale client running on a FreeBSD-based operating system did not appropriately restrict groups on the host when using Tailscale SSH. When accessing a FreeBSD host over Tailscale SSH, the egid of the tailscaled process was used instead of that of the user specified in Tailscale SSH access rules.\n\nTailscale SSH commands may have been run with a higher privilege group ID than that specified in Tailscale SSH access rules if they met all of the following criteria: the destination node was a FreeBSD device with Tailscale SSH enabled; Tailscale SSH access rules permitted access for non-root users; and a non-interactive SSH session was used.\n\nAffected users should upgrade to version 1.38.2 to remediate the issue.\n\n"
}
],
"id": "CVE-2023-28436",
"lastModified": "2024-11-21T07:55:03.773",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-23T20:15:15.487",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/tailscale/tailscale/commit/d00c046b723dff6e3775d7d35f891403ac21a47d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Release Notes"
],
"url": "https://github.com/tailscale/tailscale/releases/tag/v1.38.2"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/tailscale/tailscale/security/advisories/GHSA-vfgq-g5x8-g595"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tailscale.com/security-bulletins/#ts-2023-003"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/tailscale/tailscale/commit/d00c046b723dff6e3775d7d35f891403ac21a47d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes"
],
"url": "https://github.com/tailscale/tailscale/releases/tag/v1.38.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/tailscale/tailscale/security/advisories/GHSA-vfgq-g5x8-g595"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tailscale.com/security-bulletins/#ts-2023-003"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-23 19:15
Modified
2024-11-21 07:24
Severity ?
Summary
A vulnerability identified in the Tailscale Windows client allows a malicious website to reconfigure the Tailscale daemon `tailscaled`, which can then be used to remotely execute code. In the Tailscale Windows client, the local API was bound to a local TCP socket, and communicated with the Windows client GUI in cleartext with no Host header verification. This allowed an attacker-controlled website visited by the node to rebind DNS to an attacker-controlled DNS server, and then make local API requests in the client, including changing the coordination server to an attacker-controlled coordination server. An attacker-controlled coordination server can send malicious URL responses to the client, including pushing executables or installing an SMB share. These allow the attacker to remotely execute code on the node. All Windows clients prior to version v.1.32.3 are affected. If you are running Tailscale on Windows, upgrade to v1.32.3 or later to remediate the issue.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://emily.id.au/tailscale | Exploit, Technical Description, Third Party Advisory | |
| security-advisories@github.com | https://github.com/tailscale/tailscale/security/advisories/GHSA-vqp6-rc3h-83cp | Third Party Advisory | |
| security-advisories@github.com | https://tailscale.com/security-bulletins/#ts-2022-004 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://emily.id.au/tailscale | Exploit, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/tailscale/tailscale/security/advisories/GHSA-vqp6-rc3h-83cp | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://tailscale.com/security-bulletins/#ts-2022-004 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tailscale:tailscale:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F2CCEDE3-89FA-4B6C-9BDA-4045A0090908",
"versionEndExcluding": "1.32.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*",
"matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability identified in the Tailscale Windows client allows a malicious website to reconfigure the Tailscale daemon `tailscaled`, which can then be used to remotely execute code. In the Tailscale Windows client, the local API was bound to a local TCP socket, and communicated with the Windows client GUI in cleartext with no Host header verification. This allowed an attacker-controlled website visited by the node to rebind DNS to an attacker-controlled DNS server, and then make local API requests in the client, including changing the coordination server to an attacker-controlled coordination server. An attacker-controlled coordination server can send malicious URL responses to the client, including pushing executables or installing an SMB share. These allow the attacker to remotely execute code on the node. All Windows clients prior to version v.1.32.3 are affected. If you are running Tailscale on Windows, upgrade to v1.32.3 or later to remediate the issue."
},
{
"lang": "es",
"value": "Una vulnerabilidad identificada en el cliente Tailscale de Windows permite que un sitio web malicioso reconfigure el daemon Tailscale \"tailscaled\", que luego puede usarse para ejecutar c\u00f3digo de forma remota. En el cliente Tailscale de Windows, la API local estaba vinculada a un socket TCP local y se comunicaba con la GUI del cliente de Windows en texto plano sin verificaci\u00f3n del encabezado del Host. Esto permiti\u00f3 que un sitio web controlado por un atacante visitado por el nodo volviera a vincular DNS a un servidor DNS controlado por un atacante y luego realizar solicitudes de API locales en el cliente, incluido el cambio del servidor de coordinaci\u00f3n a un servidor de coordinaci\u00f3n controlado por un atacante. Un servidor de coordinaci\u00f3n controlado por un atacante puede enviar respuestas URL maliciosas al cliente, incluida la inserci\u00f3n de ejecutables o la instalaci\u00f3n de un recurso compartido SMB. Estos permiten al atacante ejecutar c\u00f3digo de forma remota en el nodo. Todos los clientes de Windows anteriores a la versi\u00f3n v.1.32.3 se ven afectados. Si est\u00e1 ejecutando Tailscale en Windows, actualice a la versi\u00f3n 1.32.3 o posterior para solucionar el problema."
}
],
"id": "CVE-2022-41924",
"lastModified": "2024-11-21T07:24:04.797",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-23T19:15:12.400",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "https://emily.id.au/tailscale"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/tailscale/tailscale/security/advisories/GHSA-vqp6-rc3h-83cp"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tailscale.com/security-bulletins/#ts-2022-004"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "https://emily.id.au/tailscale"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/tailscale/tailscale/security/advisories/GHSA-vqp6-rc3h-83cp"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tailscale.com/security-bulletins/#ts-2022-004"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-346"
},
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-346"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-23 19:15
Modified
2024-11-21 07:24
Severity ?
Summary
A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables. In the Tailscale client, the peer API was vulnerable to DNS rebinding. This allowed an attacker-controlled website visited by the node to rebind DNS for the peer API to an attacker-controlled DNS server, and then making peer API requests in the client, including accessing the node’s Tailscale environment variables. An attacker with access to the peer API on a node could use that access to read the node’s environment variables, including any credentials or secrets stored in environment variables. This may include Tailscale authentication keys, which could then be used to add new nodes to the user’s tailnet. The peer API access could also be used to learn of other nodes in the tailnet or send files via Taildrop. All Tailscale clients prior to version v1.32.3 are affected. Upgrade to v1.32.3 or later to remediate the issue.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://emily.id.au/tailscale | Exploit, Technical Description, Third Party Advisory | |
| security-advisories@github.com | https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6 | Third Party Advisory | |
| security-advisories@github.com | https://tailscale.com/security-bulletins/#ts-2022-005 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://emily.id.au/tailscale | Exploit, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://tailscale.com/security-bulletins/#ts-2022-005 | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:tailscale:tailscale:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F2CCEDE3-89FA-4B6C-9BDA-4045A0090908",
"versionEndExcluding": "1.32.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables. In the Tailscale client, the peer API was vulnerable to DNS rebinding. This allowed an attacker-controlled website visited by the node to rebind DNS for the peer API to an attacker-controlled DNS server, and then making peer API requests in the client, including accessing the node\u2019s Tailscale environment variables. An attacker with access to the peer API on a node could use that access to read the node\u2019s environment variables, including any credentials or secrets stored in environment variables. This may include Tailscale authentication keys, which could then be used to add new nodes to the user\u2019s tailnet. The peer API access could also be used to learn of other nodes in the tailnet or send files via Taildrop. All Tailscale clients prior to version v1.32.3 are affected. Upgrade to v1.32.3 or later to remediate the issue."
},
{
"lang": "es",
"value": "Una vulnerabilidad identificada en el cliente Tailscale permite que un sitio web malicioso acceda a la API del mismo nivel, que luego puede usarse para acceder a las variables de entorno de Tailscale. En el cliente Tailscale, la API del mismo nivel era vulnerable a la nueva vinculaci\u00f3n de DNS. Esto permiti\u00f3 que un sitio web controlado por un atacante visitado por el nodo volviera a vincular el DNS para la API del mismo nivel a un servidor DNS controlado por el atacante y luego realizar solicitudes de API del mismo nivel en el cliente, incluido el acceso a las variables de entorno Tailscale del nodo. Un atacante con acceso a la API del mismo nivel en un nodo podr\u00eda usar ese acceso para leer las variables de entorno del nodo, incluidas las credenciales o secretos almacenados en las variables de entorno. Esto puede incluir claves de autenticaci\u00f3n de Tailscale, que luego podr\u00edan usarse para agregar nuevos nodos a la red trasera del usuario. El acceso a la API de pares tambi\u00e9n podr\u00eda usarse para conocer otros nodos en la tailnet o enviar archivos a trav\u00e9s de Taildrop. Todos los clientes de Tailscale anteriores a la versi\u00f3n v1.32.3 se ven afectados. Actualice a v1.32.3 o posterior para solucionar el problema."
}
],
"id": "CVE-2022-41925",
"lastModified": "2024-11-21T07:24:04.933",
"metrics": {
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 6.0,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-23T19:15:12.487",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "https://emily.id.au/tailscale"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://tailscale.com/security-bulletins/#ts-2022-005"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "https://emily.id.au/tailscale"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://tailscale.com/security-bulletins/#ts-2022-005"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}