ts-2022-001
Vulnerability from tailscale
Description: An issue in the Tailscale coordination server allowed individuals using GitHub to authenticate to Tailscale to have their devices join a tailnet associated with an empty GitHub username.
What happened?
There was a flaw in Tailscale’s authorization logic for the GitHub identity provider. If a user tried to authenticate to Tailscale using their GitHub identity, and GitHub returned a 500 error, then in some cases, Tailscale interpreted that as authorization for an empty GitHub username, and connected these devices to the tailnet associated with the empty GitHub username.
Who is affected?
A total of five devices belonging to four users were affected between 2021-06-15 and 2022-02-04, when the issue was reported and remediated. We have contacted the two users we were able to identify.
You may be affected if you authenticated to Tailscale using a GitHub account, and after authorizing a connection using GitHub, you received a connection error. Without being asked to select which GitHub user or organization tailnet to connect to, your device would have connected to a tailnet.
What is the impact?
No device connected to another device in the tailnet. Other than the two devices which belonged to the same user, no two devices in the tailnet had valid node keys at the same time, and so did not and would not have been able to establish connections.
A device’s existence and some metadata was shared with devices added later in time. Devices added later in time were able to see previously added devices, including: their host names, their OS and version, when the devices were last connected, and their public IP addresses.
There is no evidence of this vulnerability being purposefully triggered or exploited.
Credits
We would like to thank Marvin Boothby (boothb) for reporting the issue.
Show details on source website{ guidislink: false, id: "https://tailscale.com/security-bulletins/#ts-2022-001", link: "https://tailscale.com/security-bulletins/#ts-2022-001", links: [ { href: "https://tailscale.com/security-bulletins/#ts-2022-001", rel: "alternate", type: "text/html", }, ], published: "Mon, 07 Feb 2022 00:00:00 GMT", summary: "<p><strong><em>Description</em></strong>: An issue in the Tailscale coordination server allowed individuals using GitHub to authenticate to Tailscale to have their devices join a tailnet associated with an empty GitHub username.</p>\n<h4>What happened?</h4>\n<p>There was a flaw in Tailscale’s authorization logic for the GitHub identity provider. If a user tried to authenticate to Tailscale using their GitHub identity, and GitHub returned a 500 error, then in some cases, Tailscale interpreted that as authorization for an empty GitHub username, and connected these devices to the tailnet associated with the empty GitHub username.</p>\n<h4>Who is affected?</h4>\n<p><strong>A total of five devices belonging to four users were affected between 2021-06-15 and 2022-02-04</strong>, when the issue was reported and remediated. We have contacted the two users we were able to identify.</p>\n<p><strong>You may be affected if you authenticated to Tailscale using a GitHub account, and after authorizing a connection using GitHub, you received a connection error.</strong> Without being asked to select which GitHub user or organization tailnet to connect to, your device would have connected to a tailnet.</p>\n<h4>What is the impact?</h4>\n<p><strong>No device connected to another device in the tailnet.</strong> Other than the two devices which belonged to the same user, no two devices in the tailnet had valid node keys at the same time, and so did not and would not have been able to establish connections.</p>\n<p><strong>A device’s existence and some metadata was shared with devices added later in time.</strong> Devices added later in time were able to see previously added devices, including: their host names, their OS and version, when the devices were last connected, and their public IP addresses.</p>\n<p>There is no evidence of this vulnerability being purposefully triggered or exploited.</p>\n<h4>Credits</h4>\n<p>We would like to thank Marvin Boothby (<a href=\"https://github.com/boothb\">boothb</a>) for reporting the issue.</p>", summary_detail: { base: "https://tailscale.com/security-bulletins/index.xml", language: null, type: "text/html", value: "<p><strong><em>Description</em></strong>: An issue in the Tailscale coordination server allowed individuals using GitHub to authenticate to Tailscale to have their devices join a tailnet associated with an empty GitHub username.</p>\n<h4>What happened?</h4>\n<p>There was a flaw in Tailscale’s authorization logic for the GitHub identity provider. If a user tried to authenticate to Tailscale using their GitHub identity, and GitHub returned a 500 error, then in some cases, Tailscale interpreted that as authorization for an empty GitHub username, and connected these devices to the tailnet associated with the empty GitHub username.</p>\n<h4>Who is affected?</h4>\n<p><strong>A total of five devices belonging to four users were affected between 2021-06-15 and 2022-02-04</strong>, when the issue was reported and remediated. We have contacted the two users we were able to identify.</p>\n<p><strong>You may be affected if you authenticated to Tailscale using a GitHub account, and after authorizing a connection using GitHub, you received a connection error.</strong> Without being asked to select which GitHub user or organization tailnet to connect to, your device would have connected to a tailnet.</p>\n<h4>What is the impact?</h4>\n<p><strong>No device connected to another device in the tailnet.</strong> Other than the two devices which belonged to the same user, no two devices in the tailnet had valid node keys at the same time, and so did not and would not have been able to establish connections.</p>\n<p><strong>A device’s existence and some metadata was shared with devices added later in time.</strong> Devices added later in time were able to see previously added devices, including: their host names, their OS and version, when the devices were last connected, and their public IP addresses.</p>\n<p>There is no evidence of this vulnerability being purposefully triggered or exploited.</p>\n<h4>Credits</h4>\n<p>We would like to thank Marvin Boothby (<a href=\"https://github.com/boothb\">boothb</a>) for reporting the issue.</p>", }, title: "TS-2022-001", title_detail: { base: "https://tailscale.com/security-bulletins/index.xml", language: null, type: "text/plain", value: "TS-2022-001", }, }
Log in or create an account to share your comment.
This schema specifies the format of a comment related to a security advisory.
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.