ts-2024-013
Vulnerability from tailscale

Description: Potential for Tailscale SSH recording failures

What happened?

Tailscale SSH recording deployments that enforce SSH recording using enforceRecorder could fail to record session activity in several situations.

Failure to write to the storage backend

If tsrecorder instances were unable to write to their configured storage, SSH sessions would be allowed to execute for a few seconds (typically under one or two) while the first output bytes failed to write.

A tsrecorder instance can fail to write to its configured storage for many reasons, including:

  • Misconfigured IAM permissions when using S3 for storage.
  • Misconfigured file permissions when using the local filesystem for storage.
  • Insufficient free space when using the local filesystem for storage.

tsrecorder now exercises the full set of required storage actions on startup.

Unreachable tsrecorder after a session is established

If tsrecorder instances became unreachable after a session had started, the SSH session would take several minutes to terminate. This could happen when tsrecorder went offline or when ACLs were updated to restrict access to tsrecorder nodes.

The Tailscale client now detects tsrecorder unreachability within 30 seconds and terminates the connection.

Who was affected?

Users of Tailscale SSH recording with enforceRecorder option and with tsrecorder and Tailscale client versions prior to 1.78.0.

What was the impact?

Users connecting over Tailscale SSH to nodes that enforce session recording via enforceRecorder ACL flags would have been able to execute commands briefly before having their access terminated due to recording failures.

What do I need to do?

Update tsrecorder instances and Tailscale clients to version 1.78.0 or later.

Show details on source website

To clipboard 

{
  "guidislink": false,
  "id": "https://tailscale.com/security-bulletins/#ts-2024-013",
  "link": "https://tailscale.com/security-bulletins/#ts-2024-013",
  "links": [
    {
      "href": "https://tailscale.com/security-bulletins/#ts-2024-013",
      "rel": "alternate",
      "type": "text/html"
    }
  ],
  "published": "Wed, 04 Dec 2024 00:00:00 GMT",
  "summary": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: Potential for Tailscale SSH recording failures\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eTailscale \u003ca href=\"https://tailscale.com/kb/1246/tailscale-ssh-session-recording\"\u003eSSH recording\u003c/a\u003e deployments that enforce SSH recording\nusing \u003ccode\u003eenforceRecorder\u003c/code\u003e could fail to record session activity in several\nsituations.\u003c/p\u003e\n\u003ch5\u003eFailure to write to the storage backend\u003c/h5\u003e\n\u003cp\u003eIf \u003ccode\u003etsrecorder\u003c/code\u003e instances were unable to write to their configured storage, SSH\nsessions would be allowed to execute for a few seconds (typically under one or\ntwo) while the first output bytes failed to write.\u003c/p\u003e\n\u003cp\u003eA \u003ccode\u003etsrecorder\u003c/code\u003e instance can fail to write to its configured storage for many\nreasons, including:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eMisconfigured IAM permissions when using S3 for storage.\u003c/li\u003e\n\u003cli\u003eMisconfigured file permissions when using the local filesystem for storage.\u003c/li\u003e\n\u003cli\u003eInsufficient free space when using the local filesystem for storage.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003ccode\u003etsrecorder\u003c/code\u003e now exercises the full set of required storage actions on startup.\u003c/p\u003e\n\u003ch5\u003eUnreachable tsrecorder after a session is established\u003c/h5\u003e\n\u003cp\u003eIf \u003ccode\u003etsrecorder\u003c/code\u003e instances became unreachable after a session had started, the\nSSH session would take several minutes to terminate. This could happen when\n\u003ccode\u003etsrecorder\u003c/code\u003e went offline or when ACLs were updated to restrict access to\n\u003ccode\u003etsrecorder\u003c/code\u003e nodes.\u003c/p\u003e\n\u003cp\u003eThe Tailscale client now detects \u003ccode\u003etsrecorder\u003c/code\u003e unreachability within 30 seconds\nand terminates the connection.\u003c/p\u003e\n\u003ch4\u003eWho was affected?\u003c/h4\u003e\n\u003cp\u003eUsers of Tailscale SSH recording with \u003ccode\u003eenforceRecorder\u003c/code\u003e option and with\n\u003ccode\u003etsrecorder\u003c/code\u003e and Tailscale client versions prior to 1.78.0.\u003c/p\u003e\n\u003ch4\u003eWhat was the impact?\u003c/h4\u003e\n\u003cp\u003eUsers connecting over \u003ca href=\"https://tailscale.com/security-bulletins/kb/1193/tailscale-ssh\"\u003eTailscale SSH\u003c/a\u003e to nodes that enforce session\nrecording via \u003ccode\u003eenforceRecorder\u003c/code\u003e ACL flags would have been able to execute\ncommands briefly before having their access terminated due to recording\nfailures.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003eUpdate \u003ccode\u003etsrecorder\u003c/code\u003e instances and Tailscale clients to version 1.78.0 or later.\u003c/p\u003e",
  "summary_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/html",
    "value": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: Potential for Tailscale SSH recording failures\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eTailscale \u003ca href=\"https://tailscale.com/kb/1246/tailscale-ssh-session-recording\"\u003eSSH recording\u003c/a\u003e deployments that enforce SSH recording\nusing \u003ccode\u003eenforceRecorder\u003c/code\u003e could fail to record session activity in several\nsituations.\u003c/p\u003e\n\u003ch5\u003eFailure to write to the storage backend\u003c/h5\u003e\n\u003cp\u003eIf \u003ccode\u003etsrecorder\u003c/code\u003e instances were unable to write to their configured storage, SSH\nsessions would be allowed to execute for a few seconds (typically under one or\ntwo) while the first output bytes failed to write.\u003c/p\u003e\n\u003cp\u003eA \u003ccode\u003etsrecorder\u003c/code\u003e instance can fail to write to its configured storage for many\nreasons, including:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eMisconfigured IAM permissions when using S3 for storage.\u003c/li\u003e\n\u003cli\u003eMisconfigured file permissions when using the local filesystem for storage.\u003c/li\u003e\n\u003cli\u003eInsufficient free space when using the local filesystem for storage.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003ccode\u003etsrecorder\u003c/code\u003e now exercises the full set of required storage actions on startup.\u003c/p\u003e\n\u003ch5\u003eUnreachable tsrecorder after a session is established\u003c/h5\u003e\n\u003cp\u003eIf \u003ccode\u003etsrecorder\u003c/code\u003e instances became unreachable after a session had started, the\nSSH session would take several minutes to terminate. This could happen when\n\u003ccode\u003etsrecorder\u003c/code\u003e went offline or when ACLs were updated to restrict access to\n\u003ccode\u003etsrecorder\u003c/code\u003e nodes.\u003c/p\u003e\n\u003cp\u003eThe Tailscale client now detects \u003ccode\u003etsrecorder\u003c/code\u003e unreachability within 30 seconds\nand terminates the connection.\u003c/p\u003e\n\u003ch4\u003eWho was affected?\u003c/h4\u003e\n\u003cp\u003eUsers of Tailscale SSH recording with \u003ccode\u003eenforceRecorder\u003c/code\u003e option and with\n\u003ccode\u003etsrecorder\u003c/code\u003e and Tailscale client versions prior to 1.78.0.\u003c/p\u003e\n\u003ch4\u003eWhat was the impact?\u003c/h4\u003e\n\u003cp\u003eUsers connecting over \u003ca href=\"https://tailscale.com/security-bulletins/kb/1193/tailscale-ssh\"\u003eTailscale SSH\u003c/a\u003e to nodes that enforce session\nrecording via \u003ccode\u003eenforceRecorder\u003c/code\u003e ACL flags would have been able to execute\ncommands briefly before having their access terminated due to recording\nfailures.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003eUpdate \u003ccode\u003etsrecorder\u003c/code\u003e instances and Tailscale clients to version 1.78.0 or later.\u003c/p\u003e"
  },
  "title": "TS-2024-013",
  "title_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/plain",
    "value": "TS-2024-013"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.