ts-2023-005
Vulnerability from tailscale
Description: An issue in the Tailscale coordination server in device reauthentication logic caused previously authenticated and tagged devices to lose their ACL tags upon reauthentication.
What happened?
The logic that handles the reauthentication to a new identity on an already-authenticated device with tags had a bug: instead of updating the device’s logged-in identity to the newly authenticated user, the device’s identity became that of the user who originally added it to the tailnet, without any tags.
The bug was introduced on 2022-10-26, and discovered and remediated on 2023-04-21. The bug was discovered when troubleshooting a user-reported issue.
Who is affected?
189 tailnets triggered this bug in the course of normal use of Tailscale, either directly by explicitly re-authenticating a device, or indirectly by using fast user switching to switch between multiple tailnets.
We have notified affected organizations where we have security contacts.
What is the impact?
Devices that encountered the bug had their tags removed, which reverted the device’s identity to that of the user who originally authenticated the device, or the owner of the auth key that was originally used to authenticate the device. In either case, this is the user listed as “Creator” in the Machines tab of the admin panel. Depending on access rules in the tailnet policy file, this could change the device’s network permissions.
We have analyzed the audit logs for affected tailnets, and found no evidence of deliberate exploitation. In most instances, device owners noticed the incorrect outcome of reauthentication, and corrected the device’s state themselves.
What do I need to do?
If you were not contacted by Tailscale, no action is required. If you were contacted by Tailscale, reapply the desired tags to affected devices in the admin console, or by reauthenticating the devices. Tailscale has deployed a fix to the coordination server as of 2023-04-21, and notified affected organizations.
Show details on source website{ guidislink: false, id: "https://tailscale.com/security-bulletins/#ts-2023-005", link: "https://tailscale.com/security-bulletins/#ts-2023-005", links: [ { href: "https://tailscale.com/security-bulletins/#ts-2023-005", rel: "alternate", type: "text/html", }, ], published: "Fri, 28 Apr 2023 00:00:00 GMT", summary: "<p><strong><em>Description</em></strong>: An issue in the Tailscale coordination server in device\nreauthentication logic caused previously authenticated and tagged devices to\nlose their <a href=\"https://tailscale.com/kb/1068/acl-tags/\">ACL tags</a> upon reauthentication.</p>\n<h5>What happened?</h5>\n<p>The logic that handles the reauthentication to a new identity on an\nalready-authenticated device with tags had a bug: instead of updating the\ndevice’s logged-in identity to the newly authenticated user, the device’s\nidentity became that of the user who originally added it to the tailnet, without\nany tags.</p>\n<p>The bug was introduced on 2022-10-26, and discovered and remediated on\n2023-04-21. The bug was discovered when troubleshooting a user-reported issue.</p>\n<h5>Who is affected?</h5>\n<p>189 tailnets triggered this bug in the course of normal use of Tailscale, either\ndirectly by explicitly re-authenticating a device, or indirectly by using <a href=\"https://tailscale.com/kb/1225/fast-user-switching/\">fast\nuser switching</a> to switch between multiple\ntailnets.</p>\n<p>We have notified affected organizations where we have <a href=\"https://tailscale.com/kb/1224/contact-preferences/#setting-the-security-issues-email\">security\ncontacts</a>.</p>\n<h5>What is the impact?</h5>\n<p>Devices that encountered the bug had their tags removed, which reverted the\ndevice’s identity to that of the user who originally authenticated the device,\nor the owner of the auth key that was originally used to authenticate the\ndevice. In either case, this is the user listed as “Creator” in the Machines tab\nof the admin panel. Depending on access rules in the tailnet policy file, this\ncould change the device’s network permissions.</p>\n<p>We have analyzed the audit logs for affected tailnets, and found no evidence of\ndeliberate exploitation. In most instances, device owners noticed the incorrect\noutcome of reauthentication, and corrected the device’s state themselves.</p>\n<h5>What do I need to do?</h5>\n<p><strong>If you were not contacted by Tailscale, no action is required.</strong> If you were\ncontacted by Tailscale, reapply the desired tags to affected devices in the\nadmin console, or by reauthenticating the devices. Tailscale has deployed a fix\nto the coordination server as of 2023-04-21, and notified affected\norganizations.</p>", summary_detail: { base: "https://tailscale.com/security-bulletins/index.xml", language: null, type: "text/html", value: "<p><strong><em>Description</em></strong>: An issue in the Tailscale coordination server in device\nreauthentication logic caused previously authenticated and tagged devices to\nlose their <a href=\"https://tailscale.com/kb/1068/acl-tags/\">ACL tags</a> upon reauthentication.</p>\n<h5>What happened?</h5>\n<p>The logic that handles the reauthentication to a new identity on an\nalready-authenticated device with tags had a bug: instead of updating the\ndevice’s logged-in identity to the newly authenticated user, the device’s\nidentity became that of the user who originally added it to the tailnet, without\nany tags.</p>\n<p>The bug was introduced on 2022-10-26, and discovered and remediated on\n2023-04-21. The bug was discovered when troubleshooting a user-reported issue.</p>\n<h5>Who is affected?</h5>\n<p>189 tailnets triggered this bug in the course of normal use of Tailscale, either\ndirectly by explicitly re-authenticating a device, or indirectly by using <a href=\"https://tailscale.com/kb/1225/fast-user-switching/\">fast\nuser switching</a> to switch between multiple\ntailnets.</p>\n<p>We have notified affected organizations where we have <a href=\"https://tailscale.com/kb/1224/contact-preferences/#setting-the-security-issues-email\">security\ncontacts</a>.</p>\n<h5>What is the impact?</h5>\n<p>Devices that encountered the bug had their tags removed, which reverted the\ndevice’s identity to that of the user who originally authenticated the device,\nor the owner of the auth key that was originally used to authenticate the\ndevice. In either case, this is the user listed as “Creator” in the Machines tab\nof the admin panel. Depending on access rules in the tailnet policy file, this\ncould change the device’s network permissions.</p>\n<p>We have analyzed the audit logs for affected tailnets, and found no evidence of\ndeliberate exploitation. In most instances, device owners noticed the incorrect\noutcome of reauthentication, and corrected the device’s state themselves.</p>\n<h5>What do I need to do?</h5>\n<p><strong>If you were not contacted by Tailscale, no action is required.</strong> If you were\ncontacted by Tailscale, reapply the desired tags to affected devices in the\nadmin console, or by reauthenticating the devices. Tailscale has deployed a fix\nto the coordination server as of 2023-04-21, and notified affected\norganizations.</p>", }, title: "TS-2023-005", title_detail: { base: "https://tailscale.com/security-bulletins/index.xml", language: null, type: "text/plain", value: "TS-2023-005", }, }
Log in or create an account to share your comment.
This schema specifies the format of a comment related to a security advisory.
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.