ts-2023-006
Vulnerability from tailscale

Description: An issue in the Tailscale client, combined with a behavior of the UPnP implementations in some routers, could expose all UDP ports of a node to external networks (usually the internet).

As of 2023-08-22 2:30 AM UTC, we have changed the Tailscale coordination server to advise nodes to stop using UPnP for port mapping. In some cases this can degrade NAT traversal and may cause some connections to route through DERP. This may increase node-to-node latency and decrease throughput. Version 1.48.1 resolves the issue and re-enables port mapping via UPnP.

What happened?

Tailscale nodes use UPnP as one of the mechanisms to open UDP port forwarding in routers to help with NAT traversal. Tailscale picks a node port and an external router port and requests forwarding between them. On first start Tailscale requested external port 0, which many routers interpret as a request to pick a random available port. However, some routers interpret this as a request to listen on all external ports and forward traffic to matching node ports.

Depending on the router's implementation of UPnP, a node could end up open to all UDP traffic from external networks. If some processes listen on UDP ports on the node, this could be used as a vector of attack against other software running on the node.

Any firewall software running on the node would be able to stop unwanted UDP packets, if configured to do so.

The bug was discovered and fixed on 2023-08-21, and the fix was published in the 1.48.1 release.

Who is affected?

The only known vulnerable routers are those running the miniupnpd server, versions 1.9 (2016) or earlier. Other UPnP server implementations may also be vulnerable, but Tailscale is not aware of any as of 2023-08-22.

A small percentage of nodes listened on router port 0 via UPnP before the mitigation was deployed. All nodes running vulnerable versions now have UPnP port mapping disabled.

What is the impact?

Any node service listening on UDP ports from any IP could receive traffic from external networks. This only applies to networks where the router implements UPnP wildcard port support.

If such a service does not implement authentication and/or authorization, allows packets to trigger sensitive actions, or has separate remotely-exploitable vulnerabilities, the node could be compromised by an attacker.

What do I need to do?

UPnP on vulnerable versions was disabled by the coordination server. Update Tailscale to version 1.48.1 or later to restore NAT traversal using UPnP for better node connectivity.

We do not recommend disabling UPnP or other port-mapping protocols on your router. These protocols greatly improve connectivity for Tailscale and other applications.

Show details on source website

To clipboard 

{
  "guidislink": false,
  "id": "https://tailscale.com/security-bulletins/#ts-2023-006",
  "link": "https://tailscale.com/security-bulletins/#ts-2023-006",
  "links": [
    {
      "href": "https://tailscale.com/security-bulletins/#ts-2023-006",
      "rel": "alternate",
      "type": "text/html"
    }
  ],
  "published": "Tue, 22 Aug 2023 00:00:00 GMT",
  "summary": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: An issue in the Tailscale client, combined with a behavior\nof the UPnP implementations in some routers, could expose all UDP ports of a\nnode to external networks (usually the internet).\u003c/p\u003e\n\u003cp\u003eAs of 2023-08-22 2:30 AM UTC, we have changed the Tailscale coordination server\nto advise nodes to stop using UPnP for port mapping. In some cases this can\ndegrade NAT traversal and may cause some connections to route through DERP.\nThis may increase node-to-node latency and decrease throughput. Version 1.48.1\nresolves the issue and re-enables port mapping via UPnP.\u003c/p\u003e\n\u003ch5\u003eWhat happened?\u003c/h5\u003e\n\u003cp\u003eTailscale nodes use UPnP as one of the mechanisms to open UDP port forwarding\nin routers to help with NAT traversal. Tailscale picks a node port and an\nexternal router port and requests forwarding between them. On first start\nTailscale requested external port \u003ccode\u003e0\u003c/code\u003e, which many routers interpret as a\nrequest to pick a random available port. However, some routers interpret this\nas a request to listen on all external ports and forward traffic to matching\nnode ports.\u003c/p\u003e\n\u003cp\u003eDepending on the router\u0027s implementation of UPnP, a node could end up open to\nall UDP traffic from external networks. If some processes listen on UDP ports\non the node, this could be used as a vector of attack against other software\nrunning on the node.\u003c/p\u003e\n\u003cp\u003eAny firewall software running on the node would be able to stop unwanted UDP\npackets, if configured to do so.\u003c/p\u003e\n\u003cp\u003eThe bug was discovered and fixed on 2023-08-21, and the fix was published in\nthe 1.48.1 release.\u003c/p\u003e\n\u003ch5\u003eWho is affected?\u003c/h5\u003e\n\u003cp\u003eThe only known vulnerable routers are those running the \u003ccode\u003eminiupnpd\u003c/code\u003e server,\nversions 1.9 (2016) or earlier. Other UPnP server implementations may also be\nvulnerable, but Tailscale is not aware of any as of 2023-08-22.\u003c/p\u003e\n\u003cp\u003eA small percentage of nodes listened on router port \u003ccode\u003e0\u003c/code\u003e via UPnP before the\nmitigation was deployed. All nodes running vulnerable versions now have UPnP\nport mapping disabled.\u003c/p\u003e\n\u003ch5\u003eWhat is the impact?\u003c/h5\u003e\n\u003cp\u003eAny node service listening on UDP ports from any IP could receive traffic from\nexternal networks. This only applies to networks where the router implements\nUPnP wildcard port support.\u003c/p\u003e\n\u003cp\u003eIf such a service does not implement authentication and/or authorization,\nallows packets to trigger sensitive actions, or has separate\nremotely-exploitable vulnerabilities, the node could be compromised by an\nattacker.\u003c/p\u003e\n\u003ch5\u003eWhat do I need to do?\u003c/h5\u003e\n\u003cp\u003eUPnP on vulnerable versions was disabled by the coordination server. Update\nTailscale to version 1.48.1 or later to restore NAT traversal using UPnP for\nbetter node connectivity.\u003c/p\u003e\n\u003cp\u003eWe do not recommend disabling UPnP or other port-mapping protocols on your\nrouter. These protocols greatly improve connectivity for Tailscale and other\napplications.\u003c/p\u003e",
  "summary_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/html",
    "value": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: An issue in the Tailscale client, combined with a behavior\nof the UPnP implementations in some routers, could expose all UDP ports of a\nnode to external networks (usually the internet).\u003c/p\u003e\n\u003cp\u003eAs of 2023-08-22 2:30 AM UTC, we have changed the Tailscale coordination server\nto advise nodes to stop using UPnP for port mapping. In some cases this can\ndegrade NAT traversal and may cause some connections to route through DERP.\nThis may increase node-to-node latency and decrease throughput. Version 1.48.1\nresolves the issue and re-enables port mapping via UPnP.\u003c/p\u003e\n\u003ch5\u003eWhat happened?\u003c/h5\u003e\n\u003cp\u003eTailscale nodes use UPnP as one of the mechanisms to open UDP port forwarding\nin routers to help with NAT traversal. Tailscale picks a node port and an\nexternal router port and requests forwarding between them. On first start\nTailscale requested external port \u003ccode\u003e0\u003c/code\u003e, which many routers interpret as a\nrequest to pick a random available port. However, some routers interpret this\nas a request to listen on all external ports and forward traffic to matching\nnode ports.\u003c/p\u003e\n\u003cp\u003eDepending on the router\u0027s implementation of UPnP, a node could end up open to\nall UDP traffic from external networks. If some processes listen on UDP ports\non the node, this could be used as a vector of attack against other software\nrunning on the node.\u003c/p\u003e\n\u003cp\u003eAny firewall software running on the node would be able to stop unwanted UDP\npackets, if configured to do so.\u003c/p\u003e\n\u003cp\u003eThe bug was discovered and fixed on 2023-08-21, and the fix was published in\nthe 1.48.1 release.\u003c/p\u003e\n\u003ch5\u003eWho is affected?\u003c/h5\u003e\n\u003cp\u003eThe only known vulnerable routers are those running the \u003ccode\u003eminiupnpd\u003c/code\u003e server,\nversions 1.9 (2016) or earlier. Other UPnP server implementations may also be\nvulnerable, but Tailscale is not aware of any as of 2023-08-22.\u003c/p\u003e\n\u003cp\u003eA small percentage of nodes listened on router port \u003ccode\u003e0\u003c/code\u003e via UPnP before the\nmitigation was deployed. All nodes running vulnerable versions now have UPnP\nport mapping disabled.\u003c/p\u003e\n\u003ch5\u003eWhat is the impact?\u003c/h5\u003e\n\u003cp\u003eAny node service listening on UDP ports from any IP could receive traffic from\nexternal networks. This only applies to networks where the router implements\nUPnP wildcard port support.\u003c/p\u003e\n\u003cp\u003eIf such a service does not implement authentication and/or authorization,\nallows packets to trigger sensitive actions, or has separate\nremotely-exploitable vulnerabilities, the node could be compromised by an\nattacker.\u003c/p\u003e\n\u003ch5\u003eWhat do I need to do?\u003c/h5\u003e\n\u003cp\u003eUPnP on vulnerable versions was disabled by the coordination server. Update\nTailscale to version 1.48.1 or later to restore NAT traversal using UPnP for\nbetter node connectivity.\u003c/p\u003e\n\u003cp\u003eWe do not recommend disabling UPnP or other port-mapping protocols on your\nrouter. These protocols greatly improve connectivity for Tailscale and other\napplications.\u003c/p\u003e"
  },
  "title": "TS-2023-006",
  "title_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/plain",
    "value": "TS-2023-006"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.