ts-2024-001
Vulnerability from tailscale

Description: On Windows before Tailscale version 1.52 and on Linux before Tailscale 1.54, the tailscale serve and tailscale funnel features allowed users to serve the contents of directories that their user account could not access, but which the tailscaled service process could.

What happened?

A user could escalate their own file read access by running, for example, tailscale.exe serve http / C:\, and then browsing to the local HTTP endpoint.

The issue can also occur on Linux if the local administrator enabled an operator user ID with tailscale up --operator=$USER, as the $USER account could serve itself files that it could not normally read.

Who is affected?

Owners of Windows deployments for which the users of Tailscale nodes do not also have OS-level administrative access, and owners of Linux deployments where the administrator enabled non-root --operator access.

This issue can only be triggered by a local user and cannot be triggered remotely.

What is the impact?

This issue enables local privilege escalation (file read access). Access to certain system files (such as /etc/shadow on Linux) can then be used to obtain full administrative control over the host.

What do I need to do?

On Windows 10 and later, upgrade to Tailscale 1.52 (released 30 October 2023) or later, which resolves the issue.

On Windows 7 and 8, upgrade to Tailscale 1.44.3 (released 8 Jan 2024), which resolves the issue.

On Linux, upgrade to 1.54 (released 15 November 2023) or later, which resolves the issue.

The best practice is to run the latest stable version, which as of this writing is 1.56.1. Consider turning on automatic updates.

Use Tailscale ACLs to control the availability of Funnel.

Show details on source website

To clipboard 

{
  "guidislink": false,
  "id": "https://tailscale.com/security-bulletins/#ts-2024-001",
  "link": "https://tailscale.com/security-bulletins/#ts-2024-001",
  "links": [
    {
      "href": "https://tailscale.com/security-bulletins/#ts-2024-001",
      "rel": "alternate",
      "type": "text/html"
    }
  ],
  "published": "Mon, 08 Jan 2024 00:00:00 GMT",
  "summary": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: On Windows before Tailscale version 1.52 and on Linux before\nTailscale 1.54, the \u003ccode\u003etailscale serve\u003c/code\u003e and \u003ccode\u003etailscale funnel\u003c/code\u003e features allowed\nusers to serve the contents of directories that their user account could not\naccess, but which the \u003ccode\u003etailscaled\u003c/code\u003e service process could.\u003c/p\u003e\n\u003ch5\u003eWhat happened?\u003c/h5\u003e\n\u003cp\u003eA user could escalate their own file read access by running, for example,\n\u003ccode\u003etailscale.exe serve http / C:\\\u003c/code\u003e, and then browsing to the local HTTP endpoint.\u003c/p\u003e\n\u003cp\u003eThe issue can also occur on Linux if the local administrator enabled an operator\nuser ID with \u003ccode\u003etailscale up --operator=$USER\u003c/code\u003e, as the \u003ccode\u003e$USER\u003c/code\u003e account could\n\u003ccode\u003eserve\u003c/code\u003e itself files that it could not normally read.\u003c/p\u003e\n\u003ch5\u003eWho is affected?\u003c/h5\u003e\n\u003cp\u003eOwners of Windows deployments for which the users of Tailscale nodes do not also\nhave OS-level administrative access, and owners of Linux deployments where the\nadministrator enabled non-root \u003ccode\u003e--operator\u003c/code\u003e access.\u003c/p\u003e\n\u003cp\u003eThis issue can only be triggered by a local user and cannot be triggered\nremotely.\u003c/p\u003e\n\u003ch5\u003eWhat is the impact?\u003c/h5\u003e\n\u003cp\u003eThis issue enables local privilege escalation (file read access). Access to\ncertain system files (such as \u003ccode\u003e/etc/shadow\u003c/code\u003e on Linux) can then be used to obtain\nfull administrative control over the host.\u003c/p\u003e\n\u003ch5\u003eWhat do I need to do?\u003c/h5\u003e\n\u003cp\u003eOn Windows 10 and later, upgrade to Tailscale 1.52 (\u003ca href=\"https://tailscale.com/changelog#2023-10-30-client\"\u003ereleased 30 October\n2023\u003c/a\u003e) or later, which resolves the issue.\u003c/p\u003e\n\u003cp\u003eOn Windows 7 and 8, upgrade to Tailscale 1.44.3 (\u003ca href=\"https://tailscale.com/changelog#2024-01-08-client\"\u003ereleased 8 Jan\n2024\u003c/a\u003e), which resolves the issue.\u003c/p\u003e\n\u003cp\u003eOn Linux, upgrade to 1.54 (\u003ca href=\"https://tailscale.com/changelog#2023-11-15-client\"\u003ereleased 15 November 2023\u003c/a\u003e) or later,\nwhich resolves the issue.\u003c/p\u003e\n\u003cp\u003eThe best practice is to run the latest stable version, which as of this writing\nis \u003ca href=\"https://tailscale.com/changelog#2023-12-15-client\"\u003e1.56.1\u003c/a\u003e. Consider turning on \u003ca href=\"https://tailscale.com/blog/auto-update-beta\"\u003eautomatic updates\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eUse \u003ca href=\"https://tailscale.com/kb/1223/funnel\"\u003eTailscale ACLs\u003c/a\u003e to control the availability of Funnel.\u003c/p\u003e",
  "summary_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/html",
    "value": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: On Windows before Tailscale version 1.52 and on Linux before\nTailscale 1.54, the \u003ccode\u003etailscale serve\u003c/code\u003e and \u003ccode\u003etailscale funnel\u003c/code\u003e features allowed\nusers to serve the contents of directories that their user account could not\naccess, but which the \u003ccode\u003etailscaled\u003c/code\u003e service process could.\u003c/p\u003e\n\u003ch5\u003eWhat happened?\u003c/h5\u003e\n\u003cp\u003eA user could escalate their own file read access by running, for example,\n\u003ccode\u003etailscale.exe serve http / C:\\\u003c/code\u003e, and then browsing to the local HTTP endpoint.\u003c/p\u003e\n\u003cp\u003eThe issue can also occur on Linux if the local administrator enabled an operator\nuser ID with \u003ccode\u003etailscale up --operator=$USER\u003c/code\u003e, as the \u003ccode\u003e$USER\u003c/code\u003e account could\n\u003ccode\u003eserve\u003c/code\u003e itself files that it could not normally read.\u003c/p\u003e\n\u003ch5\u003eWho is affected?\u003c/h5\u003e\n\u003cp\u003eOwners of Windows deployments for which the users of Tailscale nodes do not also\nhave OS-level administrative access, and owners of Linux deployments where the\nadministrator enabled non-root \u003ccode\u003e--operator\u003c/code\u003e access.\u003c/p\u003e\n\u003cp\u003eThis issue can only be triggered by a local user and cannot be triggered\nremotely.\u003c/p\u003e\n\u003ch5\u003eWhat is the impact?\u003c/h5\u003e\n\u003cp\u003eThis issue enables local privilege escalation (file read access). Access to\ncertain system files (such as \u003ccode\u003e/etc/shadow\u003c/code\u003e on Linux) can then be used to obtain\nfull administrative control over the host.\u003c/p\u003e\n\u003ch5\u003eWhat do I need to do?\u003c/h5\u003e\n\u003cp\u003eOn Windows 10 and later, upgrade to Tailscale 1.52 (\u003ca href=\"https://tailscale.com/changelog#2023-10-30-client\"\u003ereleased 30 October\n2023\u003c/a\u003e) or later, which resolves the issue.\u003c/p\u003e\n\u003cp\u003eOn Windows 7 and 8, upgrade to Tailscale 1.44.3 (\u003ca href=\"https://tailscale.com/changelog#2024-01-08-client\"\u003ereleased 8 Jan\n2024\u003c/a\u003e), which resolves the issue.\u003c/p\u003e\n\u003cp\u003eOn Linux, upgrade to 1.54 (\u003ca href=\"https://tailscale.com/changelog#2023-11-15-client\"\u003ereleased 15 November 2023\u003c/a\u003e) or later,\nwhich resolves the issue.\u003c/p\u003e\n\u003cp\u003eThe best practice is to run the latest stable version, which as of this writing\nis \u003ca href=\"https://tailscale.com/changelog#2023-12-15-client\"\u003e1.56.1\u003c/a\u003e. Consider turning on \u003ca href=\"https://tailscale.com/blog/auto-update-beta\"\u003eautomatic updates\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eUse \u003ca href=\"https://tailscale.com/kb/1223/funnel\"\u003eTailscale ACLs\u003c/a\u003e to control the availability of Funnel.\u003c/p\u003e"
  },
  "title": "TS-2024-001",
  "title_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/plain",
    "value": "TS-2024-001"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.