ts-2022-003
Vulnerability from tailscale
Description: An issue in Tailscale’s implementation of the OAuth authentication flow for GitHub allowed users who authenticate to Tailscale with their GitHub user identity to create a tailnet for a GitHub organization using SAML authentication in GitHub Enterprise Cloud, where Tailscale is not an authorized OAuth app for their organization.
What happened?
Tailscale silently ignored a 403 error to the GitHub API query for organizations for an authenticated user that was returned when a user authenticated to SAML, but the organization had not authorized Tailscale. This only applied to organizations using SAML on GitHub Enterprise Cloud with OAuth app authorization enabled, and where Tailscale was not authorized.
As a result, a user identity could bypass the organization’s OAuth app access restrictions, and create a tailnet for the GitHub organization.
Who is affected?
Up to 7 tailnets for GitHub organizations on GitHub Enterprise Cloud which use SAML for authentication may have been created between 2021-06-18 and 2022-06-03 without Tailscale being an authorized OAuth app for their GitHub organization, and could have used Tailscale to connect devices in that organization. An additional 10 tailnets were created with no or only one device, and so could not have used Tailscale to connect between devices.
We have notified the Tailscale admins for the affected organizations who we were able to identify. We do not have a way to notify the GitHub organization owners.
If you’re a GitHub organization owner, you can see if Tailscale is approved for your GitHub organization by going to the organization’s settings page and selecting “Third-party access” from the left-hand navigation. Or, for an organization $your-org, navigate to
https://github.com/organizations/$your-org/settings/oauth_application_policy
What is the impact?
A tailnet may have been created for a GitHub organization without their GitHub organization owner’s approval. In this case, the use of Tailscale and the creation of a tailnet could be perceived as being sanctioned by their organization when it might not have been.
What do I need to do?
If you are affected, you will need to re-authenticate to keep using your tailnet. Tailscale has expired all admin console sessions for potentially affected GitHub organizations as of 2022-06-13. As a result, users in a potentially affected tailnet will need to re-authenticate the next time they access the admin console, and will not be able to do so without Tailscale being an authorized OAuth app, which may first require getting approval from their GitHub organization owner. Nodes in a potentially affected tailnet will also need to re-authenticate when their node keys expire. If you’re a GitHub organization owner, you can approve Tailscale as an OAuth app by following GitHub’s instructions for Approving OAuth Apps for your organization.
Tailscale has deployed a fix to the coordination server as of 2022-06-03, so that no new tailnets can be created without a GitHub organization owner’s approval.
Credits
We would like to thank Aurelia for reporting the issue. Further detail is available in their blog post.
Show details on source website{
"guidislink": false,
"id": "https://tailscale.com/security-bulletins/#ts-2022-003",
"link": "https://tailscale.com/security-bulletins/#ts-2022-003",
"links": [
{
"href": "https://tailscale.com/security-bulletins/#ts-2022-003",
"rel": "alternate",
"type": "text/html"
}
],
"published": "Tue, 14 Jun 2022 00:00:00 GMT",
"summary": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: An issue in Tailscale\u2019s implementation of the OAuth authentication flow for GitHub allowed users who authenticate to Tailscale with their GitHub user identity to create a tailnet for a GitHub organization using \u003ca href=\"https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on\"\u003eSAML authentication\u003c/a\u003e in \u003ca href=\"https://docs.github.com/en/get-started/onboarding/getting-started-with-github-enterprise-cloud\"\u003eGitHub Enterprise Cloud\u003c/a\u003e, where Tailscale is not an \u003ca href=\"https://docs.github.com/en/enterprise-cloud@latest/authentication/keeping-your-account-and-data-secure/authorizing-oauth-apps\"\u003eauthorized OAuth app\u003c/a\u003e for their organization.\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eTailscale silently ignored a 403 error to the \u003ca href=\"https://docs.github.com/en/enterprise-cloud@latest/rest/orgs/orgs#list-organizations-for-the-authenticated-user\"\u003eGitHub API query for organizations for an authenticated user\u003c/a\u003e that was returned when a user authenticated to SAML, but the organization had not authorized Tailscale. This only applied to organizations using SAML on GitHub Enterprise Cloud with OAuth app authorization enabled, and where Tailscale was not authorized.\u003c/p\u003e\n\u003cp\u003eAs a result, a user identity could bypass the organization\u2019s OAuth app access restrictions, and create a tailnet for the GitHub organization.\u003c/p\u003e\n\u003ch4\u003eWho is affected?\u003c/h4\u003e\n\u003cp\u003e\u003cstrong\u003eUp to 7 tailnets for GitHub organizations on GitHub Enterprise Cloud which use SAML for authentication may have been created between 2021-06-18 and 2022-06-03 without Tailscale being an authorized OAuth app for their GitHub organization\u003c/strong\u003e, and could have used Tailscale to connect devices in that organization. An additional 10 tailnets were created with no or only one device, and so could not have used Tailscale to connect between devices.\u003c/p\u003e\n\u003cp\u003eWe have notified the Tailscale admins for the affected organizations who we were able to identify. We do not have a way to notify the GitHub organization owners.\u003c/p\u003e\n\u003cp\u003eIf you\u2019re a GitHub organization owner, you can see if Tailscale is approved for your GitHub organization by going to the organization\u2019s settings page and selecting \u201cThird-party access\u201d from the left-hand navigation. Or, for an organization \u003ccode\u003e$your-org\u003c/code\u003e, navigate to\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ehttps://github.com/organizations/$your-org/settings/oauth_application_policy\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch4\u003eWhat is the impact?\u003c/h4\u003e\n\u003cp\u003e\u003cstrong\u003eA tailnet may have been created for a GitHub organization without their GitHub organization owner\u2019s approval\u003c/strong\u003e. In this case, the use of Tailscale and the creation of a tailnet could be perceived as being sanctioned by their organization when it might not have been.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003e\u003cstrong\u003eIf you are affected, you will need to re-authenticate to keep using your tailnet\u003c/strong\u003e. Tailscale has expired all admin console sessions for potentially affected GitHub organizations as of 2022-06-13. As a result, users in a potentially affected tailnet will need to re-authenticate the next time they access the admin console, and will not be able to do so without Tailscale being an authorized OAuth app, which may first require getting approval from their GitHub organization owner. Nodes in a potentially affected tailnet will also need to re-authenticate when their node keys expire. If you\u2019re a GitHub organization owner, you can approve Tailscale as an OAuth app by following GitHub\u2019s instructions for \u003ca href=\"https://docs.github.com/en/organizations/restricting-access-to-your-organizations-data/approving-oauth-apps-for-your-organization\"\u003eApproving OAuth Apps for your organization\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eTailscale has deployed a fix to the coordination server as of 2022-06-03, so that no new tailnets can be created without a GitHub organization owner\u2019s approval.\u003c/p\u003e\n\u003ch4\u003eCredits\u003c/h4\u003e\n\u003cp\u003eWe would like to thank \u003ca href=\"https://github.com/acuteaura\"\u003eAurelia\u003c/a\u003e for reporting the issue. Further detail is available in \u003ca href=\"https://notes.acuteaura.net/posts/github-enterprise-security/\"\u003etheir blog post\u003c/a\u003e.\u003c/p\u003e",
"summary_detail": {
"base": "https://tailscale.com/security-bulletins/index.xml",
"language": null,
"type": "text/html",
"value": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: An issue in Tailscale\u2019s implementation of the OAuth authentication flow for GitHub allowed users who authenticate to Tailscale with their GitHub user identity to create a tailnet for a GitHub organization using \u003ca href=\"https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/about-authentication-with-saml-single-sign-on\"\u003eSAML authentication\u003c/a\u003e in \u003ca href=\"https://docs.github.com/en/get-started/onboarding/getting-started-with-github-enterprise-cloud\"\u003eGitHub Enterprise Cloud\u003c/a\u003e, where Tailscale is not an \u003ca href=\"https://docs.github.com/en/enterprise-cloud@latest/authentication/keeping-your-account-and-data-secure/authorizing-oauth-apps\"\u003eauthorized OAuth app\u003c/a\u003e for their organization.\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eTailscale silently ignored a 403 error to the \u003ca href=\"https://docs.github.com/en/enterprise-cloud@latest/rest/orgs/orgs#list-organizations-for-the-authenticated-user\"\u003eGitHub API query for organizations for an authenticated user\u003c/a\u003e that was returned when a user authenticated to SAML, but the organization had not authorized Tailscale. This only applied to organizations using SAML on GitHub Enterprise Cloud with OAuth app authorization enabled, and where Tailscale was not authorized.\u003c/p\u003e\n\u003cp\u003eAs a result, a user identity could bypass the organization\u2019s OAuth app access restrictions, and create a tailnet for the GitHub organization.\u003c/p\u003e\n\u003ch4\u003eWho is affected?\u003c/h4\u003e\n\u003cp\u003e\u003cstrong\u003eUp to 7 tailnets for GitHub organizations on GitHub Enterprise Cloud which use SAML for authentication may have been created between 2021-06-18 and 2022-06-03 without Tailscale being an authorized OAuth app for their GitHub organization\u003c/strong\u003e, and could have used Tailscale to connect devices in that organization. An additional 10 tailnets were created with no or only one device, and so could not have used Tailscale to connect between devices.\u003c/p\u003e\n\u003cp\u003eWe have notified the Tailscale admins for the affected organizations who we were able to identify. We do not have a way to notify the GitHub organization owners.\u003c/p\u003e\n\u003cp\u003eIf you\u2019re a GitHub organization owner, you can see if Tailscale is approved for your GitHub organization by going to the organization\u2019s settings page and selecting \u201cThird-party access\u201d from the left-hand navigation. Or, for an organization \u003ccode\u003e$your-org\u003c/code\u003e, navigate to\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ehttps://github.com/organizations/$your-org/settings/oauth_application_policy\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch4\u003eWhat is the impact?\u003c/h4\u003e\n\u003cp\u003e\u003cstrong\u003eA tailnet may have been created for a GitHub organization without their GitHub organization owner\u2019s approval\u003c/strong\u003e. In this case, the use of Tailscale and the creation of a tailnet could be perceived as being sanctioned by their organization when it might not have been.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003e\u003cstrong\u003eIf you are affected, you will need to re-authenticate to keep using your tailnet\u003c/strong\u003e. Tailscale has expired all admin console sessions for potentially affected GitHub organizations as of 2022-06-13. As a result, users in a potentially affected tailnet will need to re-authenticate the next time they access the admin console, and will not be able to do so without Tailscale being an authorized OAuth app, which may first require getting approval from their GitHub organization owner. Nodes in a potentially affected tailnet will also need to re-authenticate when their node keys expire. If you\u2019re a GitHub organization owner, you can approve Tailscale as an OAuth app by following GitHub\u2019s instructions for \u003ca href=\"https://docs.github.com/en/organizations/restricting-access-to-your-organizations-data/approving-oauth-apps-for-your-organization\"\u003eApproving OAuth Apps for your organization\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eTailscale has deployed a fix to the coordination server as of 2022-06-03, so that no new tailnets can be created without a GitHub organization owner\u2019s approval.\u003c/p\u003e\n\u003ch4\u003eCredits\u003c/h4\u003e\n\u003cp\u003eWe would like to thank \u003ca href=\"https://github.com/acuteaura\"\u003eAurelia\u003c/a\u003e for reporting the issue. Further detail is available in \u003ca href=\"https://notes.acuteaura.net/posts/github-enterprise-security/\"\u003etheir blog post\u003c/a\u003e.\u003c/p\u003e"
},
"title": "TS-2022-003",
"title_detail": {
"base": "https://tailscale.com/security-bulletins/index.xml",
"language": null,
"type": "text/plain",
"value": "TS-2022-003"
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.