ts-2024-010
Vulnerability from tailscale

Description: Accidental ACL edits due to browser caching

What happened?

When switching tailnets in the admin console, an Admin user could overwrite the ACLs of one tailnet with pending changes to ACLs from another tailnet.

When a user has unsaved ACL changes in the admin console, those changes are cached in browser storage. If this user is a member of multiple tailnets, tailnet A and tailnet B, and is editing ACLs for tailnet A, using the tailnet switcher in the top-right corner of the page would not clear the cached ACL changes correctly. In some rare cases, saving ACLs of tailnet B after the switch would use the cached ACL contents from tailnet A.

A user can be an Admin in multiple tailnets when they use GitHub to log in, and are a member of GitHub organizations, or the user is invited to another tailnet and granted the Admin role.

Tailnet switching in the admin console was added on May 22nd, 2023. We fixed this bug on July 17th, 2024.

Who was affected?

Any user who is an Admin in multiple tailnets and edited ACLs in the admin console between May 22, 2023 and July 17th, 2024 could trigger this bug after switching the active tailnet.

What was the impact?

An Admin user could overwrite the ACLs of one tailnet with ACLs from another tailnet.

What do I need to do?

If you are an Admin of multiple tailnets using the same login name, review the ACLs in your tailnets for correctness.

Show details on source website

To clipboard 

{
  "guidislink": false,
  "id": "https://tailscale.com/security-bulletins/#ts-2024-010",
  "link": "https://tailscale.com/security-bulletins/#ts-2024-010",
  "links": [
    {
      "href": "https://tailscale.com/security-bulletins/#ts-2024-010",
      "rel": "alternate",
      "type": "text/html"
    }
  ],
  "published": "Fri, 19 Jul 2024 00:00:00 GMT",
  "summary": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: Accidental ACL edits due to browser caching\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eWhen switching tailnets in the admin console, an \u003ca href=\"https://tailscale.com/kb/1138/user-roles#admin\"\u003eAdmin\u003c/a\u003e user\ncould overwrite the \u003ca href=\"https://tailscale.com/kb/1018/acls\"\u003eACLs\u003c/a\u003e of one tailnet with pending changes to ACLs\nfrom another tailnet.\u003c/p\u003e\n\u003cp\u003eWhen a user has unsaved ACL changes in the admin console, those changes are\ncached in browser storage. If this user is a member of multiple tailnets,\ntailnet A and tailnet B, and is editing ACLs for tailnet A, using the tailnet\nswitcher in the top-right corner of the page would not clear the cached ACL\nchanges correctly. In some rare cases, saving ACLs of tailnet B after the\nswitch would use the cached ACL contents from tailnet A.\u003c/p\u003e\n\u003cp\u003eA user can be an Admin in multiple tailnets when they use GitHub to log in, and are a member of GitHub organizations, or the user is \u003ca href=\"https://tailscale.com/kb/1271/invite-any-user\"\u003einvited\u003c/a\u003e to another tailnet and granted the Admin role.\u003c/p\u003e\n\u003cp\u003eTailnet switching in the admin console was added on May 22nd, 2023. We fixed\nthis bug on July 17th, 2024.\u003c/p\u003e\n\u003ch4\u003eWho was affected?\u003c/h4\u003e\n\u003cp\u003eAny user who is an Admin in multiple tailnets and edited ACLs in the admin\nconsole between May 22, 2023 and July 17th, 2024 could trigger this bug after\nswitching the active tailnet.\u003c/p\u003e\n\u003ch4\u003eWhat was the impact?\u003c/h4\u003e\n\u003cp\u003eAn Admin user could overwrite the ACLs of one tailnet with ACLs from another\ntailnet.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003eIf you are an Admin of multiple tailnets using the same login name, review the\nACLs in your tailnets for correctness.\u003c/p\u003e",
  "summary_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/html",
    "value": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: Accidental ACL edits due to browser caching\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eWhen switching tailnets in the admin console, an \u003ca href=\"https://tailscale.com/kb/1138/user-roles#admin\"\u003eAdmin\u003c/a\u003e user\ncould overwrite the \u003ca href=\"https://tailscale.com/kb/1018/acls\"\u003eACLs\u003c/a\u003e of one tailnet with pending changes to ACLs\nfrom another tailnet.\u003c/p\u003e\n\u003cp\u003eWhen a user has unsaved ACL changes in the admin console, those changes are\ncached in browser storage. If this user is a member of multiple tailnets,\ntailnet A and tailnet B, and is editing ACLs for tailnet A, using the tailnet\nswitcher in the top-right corner of the page would not clear the cached ACL\nchanges correctly. In some rare cases, saving ACLs of tailnet B after the\nswitch would use the cached ACL contents from tailnet A.\u003c/p\u003e\n\u003cp\u003eA user can be an Admin in multiple tailnets when they use GitHub to log in, and are a member of GitHub organizations, or the user is \u003ca href=\"https://tailscale.com/kb/1271/invite-any-user\"\u003einvited\u003c/a\u003e to another tailnet and granted the Admin role.\u003c/p\u003e\n\u003cp\u003eTailnet switching in the admin console was added on May 22nd, 2023. We fixed\nthis bug on July 17th, 2024.\u003c/p\u003e\n\u003ch4\u003eWho was affected?\u003c/h4\u003e\n\u003cp\u003eAny user who is an Admin in multiple tailnets and edited ACLs in the admin\nconsole between May 22, 2023 and July 17th, 2024 could trigger this bug after\nswitching the active tailnet.\u003c/p\u003e\n\u003ch4\u003eWhat was the impact?\u003c/h4\u003e\n\u003cp\u003eAn Admin user could overwrite the ACLs of one tailnet with ACLs from another\ntailnet.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003eIf you are an Admin of multiple tailnets using the same login name, review the\nACLs in your tailnets for correctness.\u003c/p\u003e"
  },
  "title": "TS-2024-010",
  "title_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/plain",
    "value": "TS-2024-010"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.