ts-2022-001
Vulnerability from tailscale
Description: An issue in the Tailscale coordination server allowed individuals using GitHub to authenticate to Tailscale to have their devices join a tailnet associated with an empty GitHub username.
What happened?
There was a flaw in Tailscale’s authorization logic for the GitHub identity provider. If a user tried to authenticate to Tailscale using their GitHub identity, and GitHub returned a 500 error, then in some cases, Tailscale interpreted that as authorization for an empty GitHub username, and connected these devices to the tailnet associated with the empty GitHub username.
Who is affected?
A total of five devices belonging to four users were affected between 2021-06-15 and 2022-02-04, when the issue was reported and remediated. We have contacted the two users we were able to identify.
You may be affected if you authenticated to Tailscale using a GitHub account, and after authorizing a connection using GitHub, you received a connection error. Without being asked to select which GitHub user or organization tailnet to connect to, your device would have connected to a tailnet.
What is the impact?
No device connected to another device in the tailnet. Other than the two devices which belonged to the same user, no two devices in the tailnet had valid node keys at the same time, and so did not and would not have been able to establish connections.
A device’s existence and some metadata was shared with devices added later in time. Devices added later in time were able to see previously added devices, including: their host names, their OS and version, when the devices were last connected, and their public IP addresses.
There is no evidence of this vulnerability being purposefully triggered or exploited.
Credits
We would like to thank Marvin Boothby (boothb) for reporting the issue.
Show details on source website{
"guidislink": false,
"id": "https://tailscale.com/security-bulletins/#ts-2022-001",
"link": "https://tailscale.com/security-bulletins/#ts-2022-001",
"links": [
{
"href": "https://tailscale.com/security-bulletins/#ts-2022-001",
"rel": "alternate",
"type": "text/html"
}
],
"published": "Mon, 07 Feb 2022 00:00:00 GMT",
"summary": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: An issue in the Tailscale coordination server allowed individuals using GitHub to authenticate to Tailscale to have their devices join a tailnet associated with an empty GitHub username.\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eThere was a flaw in Tailscale\u2019s authorization logic for the GitHub identity provider. If a user tried to authenticate to Tailscale using their GitHub identity, and GitHub returned a 500 error, then in some cases, Tailscale interpreted that as authorization for an empty GitHub username, and connected these devices to the tailnet associated with the empty GitHub username.\u003c/p\u003e\n\u003ch4\u003eWho is affected?\u003c/h4\u003e\n\u003cp\u003e\u003cstrong\u003eA total of five devices belonging to four users were affected between 2021-06-15 and 2022-02-04\u003c/strong\u003e, when the issue was reported and remediated. We have contacted the two users we were able to identify.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eYou may be affected if you authenticated to Tailscale using a GitHub account, and after authorizing a connection using GitHub, you received a connection error.\u003c/strong\u003e Without being asked to select which GitHub user or organization tailnet to connect to, your device would have connected to a tailnet.\u003c/p\u003e\n\u003ch4\u003eWhat is the impact?\u003c/h4\u003e\n\u003cp\u003e\u003cstrong\u003eNo device connected to another device in the tailnet.\u003c/strong\u003e Other than the two devices which belonged to the same user, no two devices in the tailnet had valid node keys at the same time, and so did not and would not have been able to establish connections.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eA device\u2019s existence and some metadata was shared with devices added later in time.\u003c/strong\u003e Devices added later in time were able to see previously added devices, including: their host names, their OS and version, when the devices were last connected, and their public IP addresses.\u003c/p\u003e\n\u003cp\u003eThere is no evidence of this vulnerability being purposefully triggered or exploited.\u003c/p\u003e\n\u003ch4\u003eCredits\u003c/h4\u003e\n\u003cp\u003eWe would like to thank Marvin Boothby (\u003ca href=\"https://github.com/boothb\"\u003eboothb\u003c/a\u003e) for reporting the issue.\u003c/p\u003e",
"summary_detail": {
"base": "https://tailscale.com/security-bulletins/index.xml",
"language": null,
"type": "text/html",
"value": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: An issue in the Tailscale coordination server allowed individuals using GitHub to authenticate to Tailscale to have their devices join a tailnet associated with an empty GitHub username.\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eThere was a flaw in Tailscale\u2019s authorization logic for the GitHub identity provider. If a user tried to authenticate to Tailscale using their GitHub identity, and GitHub returned a 500 error, then in some cases, Tailscale interpreted that as authorization for an empty GitHub username, and connected these devices to the tailnet associated with the empty GitHub username.\u003c/p\u003e\n\u003ch4\u003eWho is affected?\u003c/h4\u003e\n\u003cp\u003e\u003cstrong\u003eA total of five devices belonging to four users were affected between 2021-06-15 and 2022-02-04\u003c/strong\u003e, when the issue was reported and remediated. We have contacted the two users we were able to identify.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eYou may be affected if you authenticated to Tailscale using a GitHub account, and after authorizing a connection using GitHub, you received a connection error.\u003c/strong\u003e Without being asked to select which GitHub user or organization tailnet to connect to, your device would have connected to a tailnet.\u003c/p\u003e\n\u003ch4\u003eWhat is the impact?\u003c/h4\u003e\n\u003cp\u003e\u003cstrong\u003eNo device connected to another device in the tailnet.\u003c/strong\u003e Other than the two devices which belonged to the same user, no two devices in the tailnet had valid node keys at the same time, and so did not and would not have been able to establish connections.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eA device\u2019s existence and some metadata was shared with devices added later in time.\u003c/strong\u003e Devices added later in time were able to see previously added devices, including: their host names, their OS and version, when the devices were last connected, and their public IP addresses.\u003c/p\u003e\n\u003cp\u003eThere is no evidence of this vulnerability being purposefully triggered or exploited.\u003c/p\u003e\n\u003ch4\u003eCredits\u003c/h4\u003e\n\u003cp\u003eWe would like to thank Marvin Boothby (\u003ca href=\"https://github.com/boothb\"\u003eboothb\u003c/a\u003e) for reporting the issue.\u003c/p\u003e"
},
"title": "TS-2022-001",
"title_detail": {
"base": "https://tailscale.com/security-bulletins/index.xml",
"language": null,
"type": "text/plain",
"value": "TS-2022-001"
}
}
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.