ts-2023-002
Vulnerability from tailscale

Description: An issue in the Tailscale coordination server allowed nodes with expired node keys to continue communicating with other nodes in a tailnet.

What happened?

There was a flaw in Tailscale’s logic for expiring node keys. If the set of nodes that can connect in a tailnet (the netmap) didn’t have any changes, then expired node keys were not immediately removed from the netmap. The longest delay in removal was 19 days, from 2022-12-20 to 2023-01-09.

Who is affected?

All tailnets with nodes whose node keys expired prior to 2023-01-12 may have been affected. Admins of a tailnet can view nodes with expired node keys in the admin console.

What is the impact?

Connections between nodes could continue after a node key expired, both when the expired node key was the source or when it was the destination of a connection. Connections to nodes with expired node keys would only be possible if they met all of the following criteria:

  • The peer node was in the same tailnet as, or shared into a tailnet with the node with the expired node key;
  • The peer node and the node with the expired node key were allowed to connect based on the access rules in the tailnet policy file at the time of expiry of the node key;
  • The tailnet’s netmap, including access rules, nodes added or removed from the tailnet, or connectivity of nodes in the tailnet did not change since the node key expiry; and
  • Tailscale had not deployed a change to the coordination server since the node key expiry.

What do I need to do?

No action is required. Tailscale has deployed a fix to the coordination server as of 2023-01-11.

Upgrade clients to v1.36 or later for an additional mitigation. In conjunction with the coordination server fix, this mitigation prevents nodes from connecting to nodes with expired node keys if the Tailscale coordination server is offline or unreachable.

Credits

We would like to thank Derek Ellis and Alex Eiser for reporting this issue.

Show details on source website

To clipboard 

{
  "guidislink": false,
  "id": "https://tailscale.com/security-bulletins/#ts-2023-002",
  "link": "https://tailscale.com/security-bulletins/#ts-2023-002",
  "links": [
    {
      "href": "https://tailscale.com/security-bulletins/#ts-2023-002",
      "rel": "alternate",
      "type": "text/html"
    }
  ],
  "published": "Tue, 24 Jan 2023 00:00:00 GMT",
  "summary": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: An issue in the Tailscale coordination server allowed nodes with expired node keys to continue communicating with other nodes in a tailnet.\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eThere was a flaw in Tailscale\u2019s logic for expiring node keys. If the set of nodes that can connect in a tailnet (the netmap) didn\u2019t have any changes, then expired node keys were not immediately removed from the netmap. The longest delay in removal was 19 days, from 2022-12-20 to 2023-01-09.\u003c/p\u003e\n\u003ch4\u003eWho is affected?\u003c/h4\u003e\n\u003cp\u003e\u003cstrong\u003eAll tailnets with nodes whose node keys expired prior to 2023-01-12 may have been affected\u003c/strong\u003e. Admins of a tailnet can view \u003ca href=\"https://login.tailscale.com/admin/machines?q=disabled%3Aexpired\"\u003enodes with expired node keys\u003c/a\u003e in the admin console.\u003c/p\u003e\n\u003ch4\u003eWhat is the impact?\u003c/h4\u003e\n\u003cp\u003eConnections between nodes could continue after a node key expired, both when the expired node key was the source or when it was the destination of a connection. Connections to nodes with expired node keys would only be possible if they met all of the following criteria:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe peer node was in the same tailnet as, or shared into a tailnet with the node with the expired node key;\u003c/li\u003e\n\u003cli\u003eThe peer node and the node with the expired node key were allowed to connect based on the access rules in the tailnet policy file at the time of expiry of the node key;\u003c/li\u003e\n\u003cli\u003eThe tailnet\u2019s netmap, including access rules, nodes added or removed from the tailnet, or connectivity of nodes in the tailnet did not change since the node key expiry; and\u003c/li\u003e\n\u003cli\u003eTailscale had not deployed a change to the coordination server since the node key expiry.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003e\u003cstrong\u003eNo action is required\u003c/strong\u003e. Tailscale has deployed a fix to the coordination server as of 2023-01-11.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eUpgrade clients to v1.36 or later for an additional mitigation\u003c/strong\u003e. In conjunction with the coordination server fix, this mitigation prevents nodes from connecting to nodes with expired node keys if the Tailscale coordination server is offline or unreachable.\u003c/p\u003e\n\u003ch4\u003eCredits\u003c/h4\u003e\n\u003cp\u003eWe would like to thank \u003ca href=\"https://me.ellisd.com\"\u003eDerek Ellis\u003c/a\u003e and \u003ca href=\"https://www.cranksecurity.com/\"\u003eAlex Eiser\u003c/a\u003e for reporting this issue.\u003c/p\u003e",
  "summary_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/html",
    "value": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: An issue in the Tailscale coordination server allowed nodes with expired node keys to continue communicating with other nodes in a tailnet.\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eThere was a flaw in Tailscale\u2019s logic for expiring node keys. If the set of nodes that can connect in a tailnet (the netmap) didn\u2019t have any changes, then expired node keys were not immediately removed from the netmap. The longest delay in removal was 19 days, from 2022-12-20 to 2023-01-09.\u003c/p\u003e\n\u003ch4\u003eWho is affected?\u003c/h4\u003e\n\u003cp\u003e\u003cstrong\u003eAll tailnets with nodes whose node keys expired prior to 2023-01-12 may have been affected\u003c/strong\u003e. Admins of a tailnet can view \u003ca href=\"https://login.tailscale.com/admin/machines?q=disabled%3Aexpired\"\u003enodes with expired node keys\u003c/a\u003e in the admin console.\u003c/p\u003e\n\u003ch4\u003eWhat is the impact?\u003c/h4\u003e\n\u003cp\u003eConnections between nodes could continue after a node key expired, both when the expired node key was the source or when it was the destination of a connection. Connections to nodes with expired node keys would only be possible if they met all of the following criteria:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe peer node was in the same tailnet as, or shared into a tailnet with the node with the expired node key;\u003c/li\u003e\n\u003cli\u003eThe peer node and the node with the expired node key were allowed to connect based on the access rules in the tailnet policy file at the time of expiry of the node key;\u003c/li\u003e\n\u003cli\u003eThe tailnet\u2019s netmap, including access rules, nodes added or removed from the tailnet, or connectivity of nodes in the tailnet did not change since the node key expiry; and\u003c/li\u003e\n\u003cli\u003eTailscale had not deployed a change to the coordination server since the node key expiry.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003e\u003cstrong\u003eNo action is required\u003c/strong\u003e. Tailscale has deployed a fix to the coordination server as of 2023-01-11.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eUpgrade clients to v1.36 or later for an additional mitigation\u003c/strong\u003e. In conjunction with the coordination server fix, this mitigation prevents nodes from connecting to nodes with expired node keys if the Tailscale coordination server is offline or unreachable.\u003c/p\u003e\n\u003ch4\u003eCredits\u003c/h4\u003e\n\u003cp\u003eWe would like to thank \u003ca href=\"https://me.ellisd.com\"\u003eDerek Ellis\u003c/a\u003e and \u003ca href=\"https://www.cranksecurity.com/\"\u003eAlex Eiser\u003c/a\u003e for reporting this issue.\u003c/p\u003e"
  },
  "title": "TS-2023-002",
  "title_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/plain",
    "value": "TS-2023-002"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.