ts-2022-002
Vulnerability from tailscale

Description: An issue in the Tailscale coordination server allowed individuals creating a new Tailscale account with a gmail.com email address to join the same tailnet, rather than individual tailnets.

What happened?

There was a flaw in Tailscale’s logic for migrating accounts between identity providers, and a new gmail.com shared tailnet was accidentally created. Once created, any user who tried to create a new Tailscale account with a gmail.com email address joined the shared gmail.com tailnet.

Who is affected?

A total of 44 users with 59 devices who created accounts for their gmail.com email addresses on 2022-05-11 between 10:56 and 13:12 PT were affected. We have notified affected users.

What is the impact?

Six connections between devices belonging to different users were made, but no traffic of concern flowed between them. Four connections were pings, and two connections were UDP traffic on port 27036, likely automated broadcasting by a gaming platform to discover peers to play with. There is no evidence of malicious traffic.

Impacted users could see some metadata about other users and devices from their devices’ clients, including users’ names, devices’ host names, and devices’ Tailscale IP addresses. This information was viewed by at least one user, who reported it to us.

One user, the tailnet Admin, was able to see all users and devices added to the shared gmail.com tailnet. This includes users’ email addresses, names, and when they were last connected; and devices’ host names, their OS and version, when the devices were last connected, and their public IP addresses. This information was viewed by the user, who reported it to us.

What do I need to do?

No action is required. Tailscale has deployed a fix to the coordination server as of 2022-05-11 13:12 PT.

New users registering for a Tailscale account with a gmail.com email address will create a tailnet as normal.

Credits

We would like to thank David Swafford and George Constantinides for reporting the issue.

Show details on source website

To clipboard 

{
  "guidislink": false,
  "id": "https://tailscale.com/security-bulletins/#ts-2022-002",
  "link": "https://tailscale.com/security-bulletins/#ts-2022-002",
  "links": [
    {
      "href": "https://tailscale.com/security-bulletins/#ts-2022-002",
      "rel": "alternate",
      "type": "text/html"
    }
  ],
  "published": "Wed, 11 May 2022 00:00:00 GMT",
  "summary": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: An issue in the Tailscale coordination server allowed individuals creating a new Tailscale account with a gmail.com email address to join the same tailnet, rather than individual tailnets.\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eThere was a flaw in Tailscale\u2019s logic for migrating accounts between identity providers, and a new gmail.com shared tailnet was accidentally created. Once created, any user who tried to create a new Tailscale account with a gmail.com email address joined the shared gmail.com tailnet.\u003c/p\u003e\n\u003ch4\u003eWho is affected?\u003c/h4\u003e\n\u003cp\u003e\u003cstrong\u003eA total of 44 users with 59 devices who created accounts for their gmail.com email addresses on 2022-05-11 between 10:56 and 13:12 PT were affected\u003c/strong\u003e. We have notified affected users.\u003c/p\u003e\n\u003ch4\u003eWhat is the impact?\u003c/h4\u003e\n\u003cp\u003e\u003cstrong\u003eSix connections between devices belonging to different users were made, but no traffic of concern flowed between them\u003c/strong\u003e. Four connections were pings, and two connections were UDP traffic on port 27036, likely automated broadcasting by a gaming platform to discover peers to play with. There is no evidence of malicious traffic.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eImpacted users could see some metadata about other users and devices from their devices\u2019 clients\u003c/strong\u003e, including users\u2019 names, devices\u2019 host names, and devices\u2019 Tailscale IP addresses. This information \u003cem\u003ewas\u003c/em\u003e viewed by at least one user, who reported it to us.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eOne user, the tailnet Admin, was able to see all users and devices added to the shared gmail.com tailnet\u003c/strong\u003e. This includes users\u2019 email addresses, names, and when they were last connected; and devices\u2019 host names, their OS and version, when the devices were last connected, and their public IP addresses. This information \u003cem\u003ewas\u003c/em\u003e viewed by the user, who reported it to us.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003e\u003cstrong\u003eNo action is required\u003c/strong\u003e. Tailscale has deployed a fix to the coordination server as of 2022-05-11 13:12 PT.\u003c/p\u003e\n\u003cp\u003eNew users registering for a Tailscale account with a gmail.com email address will create a tailnet as normal.\u003c/p\u003e\n\u003ch4\u003eCredits\u003c/h4\u003e\n\u003cp\u003eWe would like to thank \u003ca href=\"https://www.linkedin.com/in/davidswafford/\"\u003eDavid Swafford\u003c/a\u003e and George Constantinides for reporting the issue.\u003c/p\u003e",
  "summary_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/html",
    "value": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: An issue in the Tailscale coordination server allowed individuals creating a new Tailscale account with a gmail.com email address to join the same tailnet, rather than individual tailnets.\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eThere was a flaw in Tailscale\u2019s logic for migrating accounts between identity providers, and a new gmail.com shared tailnet was accidentally created. Once created, any user who tried to create a new Tailscale account with a gmail.com email address joined the shared gmail.com tailnet.\u003c/p\u003e\n\u003ch4\u003eWho is affected?\u003c/h4\u003e\n\u003cp\u003e\u003cstrong\u003eA total of 44 users with 59 devices who created accounts for their gmail.com email addresses on 2022-05-11 between 10:56 and 13:12 PT were affected\u003c/strong\u003e. We have notified affected users.\u003c/p\u003e\n\u003ch4\u003eWhat is the impact?\u003c/h4\u003e\n\u003cp\u003e\u003cstrong\u003eSix connections between devices belonging to different users were made, but no traffic of concern flowed between them\u003c/strong\u003e. Four connections were pings, and two connections were UDP traffic on port 27036, likely automated broadcasting by a gaming platform to discover peers to play with. There is no evidence of malicious traffic.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eImpacted users could see some metadata about other users and devices from their devices\u2019 clients\u003c/strong\u003e, including users\u2019 names, devices\u2019 host names, and devices\u2019 Tailscale IP addresses. This information \u003cem\u003ewas\u003c/em\u003e viewed by at least one user, who reported it to us.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eOne user, the tailnet Admin, was able to see all users and devices added to the shared gmail.com tailnet\u003c/strong\u003e. This includes users\u2019 email addresses, names, and when they were last connected; and devices\u2019 host names, their OS and version, when the devices were last connected, and their public IP addresses. This information \u003cem\u003ewas\u003c/em\u003e viewed by the user, who reported it to us.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003e\u003cstrong\u003eNo action is required\u003c/strong\u003e. Tailscale has deployed a fix to the coordination server as of 2022-05-11 13:12 PT.\u003c/p\u003e\n\u003cp\u003eNew users registering for a Tailscale account with a gmail.com email address will create a tailnet as normal.\u003c/p\u003e\n\u003ch4\u003eCredits\u003c/h4\u003e\n\u003cp\u003eWe would like to thank \u003ca href=\"https://www.linkedin.com/in/davidswafford/\"\u003eDavid Swafford\u003c/a\u003e and George Constantinides for reporting the issue.\u003c/p\u003e"
  },
  "title": "TS-2022-002",
  "title_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/plain",
    "value": "TS-2022-002"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.