ts-2023-005
Vulnerability from tailscale
Description: An issue in the Tailscale coordination server in device reauthentication logic caused previously authenticated and tagged devices to lose their ACL tags upon reauthentication.
What happened?
The logic that handles the reauthentication to a new identity on an already-authenticated device with tags had a bug: instead of updating the device’s logged-in identity to the newly authenticated user, the device’s identity became that of the user who originally added it to the tailnet, without any tags.
The bug was introduced on 2022-10-26, and discovered and remediated on 2023-04-21. The bug was discovered when troubleshooting a user-reported issue.
Who is affected?
189 tailnets triggered this bug in the course of normal use of Tailscale, either directly by explicitly re-authenticating a device, or indirectly by using fast user switching to switch between multiple tailnets.
We have notified affected organizations where we have security contacts.
What is the impact?
Devices that encountered the bug had their tags removed, which reverted the device’s identity to that of the user who originally authenticated the device, or the owner of the auth key that was originally used to authenticate the device. In either case, this is the user listed as “Creator” in the Machines tab of the admin panel. Depending on access rules in the tailnet policy file, this could change the device’s network permissions.
We have analyzed the audit logs for affected tailnets, and found no evidence of deliberate exploitation. In most instances, device owners noticed the incorrect outcome of reauthentication, and corrected the device’s state themselves.
What do I need to do?
If you were not contacted by Tailscale, no action is required. If you were contacted by Tailscale, reapply the desired tags to affected devices in the admin console, or by reauthenticating the devices. Tailscale has deployed a fix to the coordination server as of 2023-04-21, and notified affected organizations.
Show details on source website{
"guidislink": false,
"id": "https://tailscale.com/security-bulletins/#ts-2023-005",
"link": "https://tailscale.com/security-bulletins/#ts-2023-005",
"links": [
{
"href": "https://tailscale.com/security-bulletins/#ts-2023-005",
"rel": "alternate",
"type": "text/html"
}
],
"published": "Fri, 28 Apr 2023 00:00:00 GMT",
"summary": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: An issue in the Tailscale coordination server in device\nreauthentication logic caused previously authenticated and tagged devices to\nlose their \u003ca href=\"https://tailscale.com/kb/1068/acl-tags/\"\u003eACL tags\u003c/a\u003e upon reauthentication.\u003c/p\u003e\n\u003ch5\u003eWhat happened?\u003c/h5\u003e\n\u003cp\u003eThe logic that handles the reauthentication to a new identity on an\nalready-authenticated device with tags had a bug: instead of updating the\ndevice\u2019s logged-in identity to the newly authenticated user, the device\u2019s\nidentity became that of the user who originally added it to the tailnet, without\nany tags.\u003c/p\u003e\n\u003cp\u003eThe bug was introduced on 2022-10-26, and discovered and remediated on\n2023-04-21. The bug was discovered when troubleshooting a user-reported issue.\u003c/p\u003e\n\u003ch5\u003eWho is affected?\u003c/h5\u003e\n\u003cp\u003e189 tailnets triggered this bug in the course of normal use of Tailscale, either\ndirectly by explicitly re-authenticating a device, or indirectly by using \u003ca href=\"https://tailscale.com/kb/1225/fast-user-switching/\"\u003efast\nuser switching\u003c/a\u003e to switch between multiple\ntailnets.\u003c/p\u003e\n\u003cp\u003eWe have notified affected organizations where we have \u003ca href=\"https://tailscale.com/kb/1224/contact-preferences/#setting-the-security-issues-email\"\u003esecurity\ncontacts\u003c/a\u003e.\u003c/p\u003e\n\u003ch5\u003eWhat is the impact?\u003c/h5\u003e\n\u003cp\u003eDevices that encountered the bug had their tags removed, which reverted the\ndevice\u2019s identity to that of the user who originally authenticated the device,\nor the owner of the auth key that was originally used to authenticate the\ndevice. In either case, this is the user listed as \u201cCreator\u201d in the Machines tab\nof the admin panel. Depending on access rules in the tailnet policy file, this\ncould change the device\u2019s network permissions.\u003c/p\u003e\n\u003cp\u003eWe have analyzed the audit logs for affected tailnets, and found no evidence of\ndeliberate exploitation. In most instances, device owners noticed the incorrect\noutcome of reauthentication, and corrected the device\u2019s state themselves.\u003c/p\u003e\n\u003ch5\u003eWhat do I need to do?\u003c/h5\u003e\n\u003cp\u003e\u003cstrong\u003eIf you were not contacted by Tailscale, no action is required.\u003c/strong\u003e \u00a0If you were\ncontacted by Tailscale, reapply the desired tags to affected devices in the\nadmin console, or by reauthenticating the devices. Tailscale has deployed a fix\nto the coordination server as of 2023-04-21, and notified affected\norganizations.\u003c/p\u003e",
"summary_detail": {
"base": "https://tailscale.com/security-bulletins/index.xml",
"language": null,
"type": "text/html",
"value": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: An issue in the Tailscale coordination server in device\nreauthentication logic caused previously authenticated and tagged devices to\nlose their \u003ca href=\"https://tailscale.com/kb/1068/acl-tags/\"\u003eACL tags\u003c/a\u003e upon reauthentication.\u003c/p\u003e\n\u003ch5\u003eWhat happened?\u003c/h5\u003e\n\u003cp\u003eThe logic that handles the reauthentication to a new identity on an\nalready-authenticated device with tags had a bug: instead of updating the\ndevice\u2019s logged-in identity to the newly authenticated user, the device\u2019s\nidentity became that of the user who originally added it to the tailnet, without\nany tags.\u003c/p\u003e\n\u003cp\u003eThe bug was introduced on 2022-10-26, and discovered and remediated on\n2023-04-21. The bug was discovered when troubleshooting a user-reported issue.\u003c/p\u003e\n\u003ch5\u003eWho is affected?\u003c/h5\u003e\n\u003cp\u003e189 tailnets triggered this bug in the course of normal use of Tailscale, either\ndirectly by explicitly re-authenticating a device, or indirectly by using \u003ca href=\"https://tailscale.com/kb/1225/fast-user-switching/\"\u003efast\nuser switching\u003c/a\u003e to switch between multiple\ntailnets.\u003c/p\u003e\n\u003cp\u003eWe have notified affected organizations where we have \u003ca href=\"https://tailscale.com/kb/1224/contact-preferences/#setting-the-security-issues-email\"\u003esecurity\ncontacts\u003c/a\u003e.\u003c/p\u003e\n\u003ch5\u003eWhat is the impact?\u003c/h5\u003e\n\u003cp\u003eDevices that encountered the bug had their tags removed, which reverted the\ndevice\u2019s identity to that of the user who originally authenticated the device,\nor the owner of the auth key that was originally used to authenticate the\ndevice. In either case, this is the user listed as \u201cCreator\u201d in the Machines tab\nof the admin panel. Depending on access rules in the tailnet policy file, this\ncould change the device\u2019s network permissions.\u003c/p\u003e\n\u003cp\u003eWe have analyzed the audit logs for affected tailnets, and found no evidence of\ndeliberate exploitation. In most instances, device owners noticed the incorrect\noutcome of reauthentication, and corrected the device\u2019s state themselves.\u003c/p\u003e\n\u003ch5\u003eWhat do I need to do?\u003c/h5\u003e\n\u003cp\u003e\u003cstrong\u003eIf you were not contacted by Tailscale, no action is required.\u003c/strong\u003e \u00a0If you were\ncontacted by Tailscale, reapply the desired tags to affected devices in the\nadmin console, or by reauthenticating the devices. Tailscale has deployed a fix\nto the coordination server as of 2023-04-21, and notified affected\norganizations.\u003c/p\u003e"
},
"title": "TS-2023-005",
"title_detail": {
"base": "https://tailscale.com/security-bulletins/index.xml",
"language": null,
"type": "text/plain",
"value": "TS-2023-005"
}
}
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.