Skip to content

Tailscale daemon is vulnerable to information disclosure via CSRF

Low severity GitHub Reviewed Published Nov 21, 2022 in tailscale/tailscale • Updated Jan 27, 2023

Package

gomod tailscale.com/cmd (Go)

Affected versions

< 1.32.3

Patched versions

1.32.3

Description

A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables.

Affected platforms: All
Patched Tailscale client versions: v1.32.3 or later, v1.33.257 or later (unstable)

What happened?

In the Tailscale client, the peer API was vulnerable to DNS rebinding. This allowed an attacker-controlled website visited by the node to rebind DNS for the peer API to an attacker-controlled DNS server, and then making peer API requests in the client, including accessing the node’s Tailscale environment variables.

Who is affected?

All Tailscale clients prior to version v.1.32.3 are affected.

What should I do?

Upgrade to v1.32.3 or later to remediate the issue.

What is the impact?

An attacker with access to the peer API on a node could use that access to read the node’s environment variables, including any credentials or secrets stored in environment variables. This may include Tailscale authentication keys, which could then be used to add new nodes to the user’s tailnet. The peer API access could also be used to learn of other nodes in the tailnet or send files via Taildrop.

An attacker with access to the peer API who sent a malicious file via Taildrop which was accessed while it was loading could use this to gain access to the local API, and remotely execute code.

There is no evidence of this vulnerability being purposefully triggered or exploited.

Credits

We would like to thank Emily Trau and Jamie McClymont (CyberCX) for reporting this issue. Further detail is available in their blog post.

References

For more information

If you have any questions or comments about this advisory, contact Tailscale support.

References

@mayakacz mayakacz published to tailscale/tailscale Nov 21, 2022
Published to the GitHub Advisory Database Nov 21, 2022
Reviewed Nov 21, 2022
Published by the National Vulnerability Database Nov 23, 2022
Last updated Jan 27, 2023

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Adjacent
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

EPSS score

0.053%
(24th percentile)

CVE ID

CVE-2022-41925

GHSA ID

GHSA-qccm-wmcq-pwr6

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.