ghsa-qccm-wmcq-pwr6
Vulnerability from github
A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables.
Affected platforms: All Patched Tailscale client versions: v1.32.3 or later, v1.33.257 or later (unstable)
What happened?
In the Tailscale client, the peer API was vulnerable to DNS rebinding. This allowed an attacker-controlled website visited by the node to rebind DNS for the peer API to an attacker-controlled DNS server, and then making peer API requests in the client, including accessing the node’s Tailscale environment variables.
Who is affected?
All Tailscale clients prior to version v.1.32.3 are affected.
What should I do?
Upgrade to v1.32.3 or later to remediate the issue.
What is the impact?
An attacker with access to the peer API on a node could use that access to read the node’s environment variables, including any credentials or secrets stored in environment variables. This may include Tailscale authentication keys, which could then be used to add new nodes to the user’s tailnet. The peer API access could also be used to learn of other nodes in the tailnet or send files via Taildrop.
An attacker with access to the peer API who sent a malicious file via Taildrop which was accessed while it was loading could use this to gain access to the local API, and remotely execute code.
There is no evidence of this vulnerability being purposefully triggered or exploited.
Credits
We would like to thank Emily Trau and Jamie McClymont (CyberCX) for reporting this issue. Further detail is available in their blog post.
References
For more information
If you have any questions or comments about this advisory, contact Tailscale support.
{ affected: [ { package: { ecosystem: "Go", name: "tailscale.com/cmd", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "1.32.3", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2022-41925", ], database_specific: { cwe_ids: [ "CWE-200", "CWE-352", ], github_reviewed: true, github_reviewed_at: "2022-11-21T22:34:22Z", nvd_published_at: "2022-11-23T19:15:00Z", severity: "LOW", }, details: "A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables.\n\n**Affected platforms:** All\n**Patched Tailscale client versions:** v1.32.3 or later, v1.33.257 or later (unstable)\n\n### What happened?\nIn the Tailscale client, the peer API was vulnerable to DNS rebinding. This allowed an attacker-controlled website visited by the node to rebind DNS for the peer API to an attacker-controlled DNS server, and then making peer API requests in the client, including accessing the node’s Tailscale environment variables.\n\n### Who is affected?\nAll Tailscale clients prior to version v.1.32.3 are affected.\n\n### What should I do?\nUpgrade to v1.32.3 or later to remediate the issue.\n\n### What is the impact?\nAn attacker with access to the peer API on a node could use that access to read the node’s environment variables, including any credentials or secrets stored in environment variables. This may include Tailscale authentication keys, which could then be used to add new nodes to the user’s tailnet. The peer API access could also be used to learn of other nodes in the tailnet or send files via Taildrop.\n\nAn attacker with access to the peer API who sent a malicious file via Taildrop which was accessed while it was loading could use this to gain access to the local API, and remotely execute code.\n\nThere is no evidence of this vulnerability being purposefully triggered or exploited.\n\n### Credits\nWe would like to thank [Emily Trau](https://github.com/emilytrau) and [Jamie McClymont (CyberCX)](https://twitter.com/JJJollyjim) for reporting this issue. Further detail is available in [their blog post](https://emily.id.au/tailscale).\n\n### References\n* [TS-2022-005](https://tailscale.com/security-bulletins/#ts-2022-005)\n* [Researcher blog post](https://emily.id.au/tailscale)\n\n### For more information\nIf you have any questions or comments about this advisory, [contact Tailscale support](https://tailscale.com/contact/support/).", id: "GHSA-qccm-wmcq-pwr6", modified: "2022-12-01T22:12:32Z", published: "2022-11-21T22:34:22Z", references: [ { type: "WEB", url: "https://github.com/tailscale/tailscale/security/advisories/GHSA-qccm-wmcq-pwr6", }, { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2022-41925", }, { type: "WEB", url: "https://emily.id.au/tailscale", }, { type: "PACKAGE", url: "https://github.com/tailscale/tailscale", }, { type: "WEB", url: "https://tailscale.com/security-bulletins/#ts-2022-005", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", type: "CVSS_V3", }, ], summary: "Tailscale daemon is vulnerable to information disclosure via CSRF", }
Log in or create an account to share your comment.
This schema specifies the format of a comment related to a security advisory.
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.