ts-2023-006
Vulnerability from tailscale

Description: An issue in the Tailscale client, combined with a behavior of the UPnP implementations in some routers, could expose all UDP ports of a node to external networks (usually the internet).

As of 2023-08-22 2:30 AM UTC, we have changed the Tailscale coordination server to advise nodes to stop using UPnP for port mapping. In some cases this can degrade NAT traversal and may cause some connections to route through DERP. This may increase node-to-node latency and decrease throughput. Version 1.48.1 resolves the issue and re-enables port mapping via UPnP.

What happened?

Tailscale nodes use UPnP as one of the mechanisms to open UDP port forwarding in routers to help with NAT traversal. Tailscale picks a node port and an external router port and requests forwarding between them. On first start Tailscale requested external port 0, which many routers interpret as a request to pick a random available port. However, some routers interpret this as a request to listen on all external ports and forward traffic to matching node ports.

Depending on the router's implementation of UPnP, a node could end up open to all UDP traffic from external networks. If some processes listen on UDP ports on the node, this could be used as a vector of attack against other software running on the node.

Any firewall software running on the node would be able to stop unwanted UDP packets, if configured to do so.

The bug was discovered and fixed on 2023-08-21, and the fix was published in the 1.48.1 release.

Who is affected?

The only known vulnerable routers are those running the miniupnpd server, versions 1.9 (2016) or earlier. Other UPnP server implementations may also be vulnerable, but Tailscale is not aware of any as of 2023-08-22.

A small percentage of nodes listened on router port 0 via UPnP before the mitigation was deployed. All nodes running vulnerable versions now have UPnP port mapping disabled.

What is the impact?

Any node service listening on UDP ports from any IP could receive traffic from external networks. This only applies to networks where the router implements UPnP wildcard port support.

If such a service does not implement authentication and/or authorization, allows packets to trigger sensitive actions, or has separate remotely-exploitable vulnerabilities, the node could be compromised by an attacker.

What do I need to do?

UPnP on vulnerable versions was disabled by the coordination server. Update Tailscale to version 1.48.1 or later to restore NAT traversal using UPnP for better node connectivity.

We do not recommend disabling UPnP or other port-mapping protocols on your router. These protocols greatly improve connectivity for Tailscale and other applications.

Show details on source website


{
   guidislink: false,
   id: "https://tailscale.com/security-bulletins/#ts-2023-006",
   link: "https://tailscale.com/security-bulletins/#ts-2023-006",
   links: [
      {
         href: "https://tailscale.com/security-bulletins/#ts-2023-006",
         rel: "alternate",
         type: "text/html",
      },
   ],
   published: "Tue, 22 Aug 2023 00:00:00 GMT",
   summary: "<p><strong><em>Description</em></strong>: An issue in the Tailscale client, combined with a behavior\nof the UPnP implementations in some routers, could expose all UDP ports of a\nnode to external networks (usually the internet).</p>\n<p>As of 2023-08-22 2:30 AM UTC, we have changed the Tailscale coordination server\nto advise nodes to stop using UPnP for port mapping. In some cases this can\ndegrade NAT traversal and may cause some connections to route through DERP.\nThis may increase node-to-node latency and decrease throughput. Version 1.48.1\nresolves the issue and re-enables port mapping via UPnP.</p>\n<h5>What happened?</h5>\n<p>Tailscale nodes use UPnP as one of the mechanisms to open UDP port forwarding\nin routers to help with NAT traversal. Tailscale picks a node port and an\nexternal router port and requests forwarding between them. On first start\nTailscale requested external port <code>0</code>, which many routers interpret as a\nrequest to pick a random available port. However, some routers interpret this\nas a request to listen on all external ports and forward traffic to matching\nnode ports.</p>\n<p>Depending on the router's implementation of UPnP, a node could end up open to\nall UDP traffic from external networks. If some processes listen on UDP ports\non the node, this could be used as a vector of attack against other software\nrunning on the node.</p>\n<p>Any firewall software running on the node would be able to stop unwanted UDP\npackets, if configured to do so.</p>\n<p>The bug was discovered and fixed on 2023-08-21, and the fix was published in\nthe 1.48.1 release.</p>\n<h5>Who is affected?</h5>\n<p>The only known vulnerable routers are those running the <code>miniupnpd</code> server,\nversions 1.9 (2016) or earlier. Other UPnP server implementations may also be\nvulnerable, but Tailscale is not aware of any as of 2023-08-22.</p>\n<p>A small percentage of nodes listened on router port <code>0</code> via UPnP before the\nmitigation was deployed. All nodes running vulnerable versions now have UPnP\nport mapping disabled.</p>\n<h5>What is the impact?</h5>\n<p>Any node service listening on UDP ports from any IP could receive traffic from\nexternal networks. This only applies to networks where the router implements\nUPnP wildcard port support.</p>\n<p>If such a service does not implement authentication and/or authorization,\nallows packets to trigger sensitive actions, or has separate\nremotely-exploitable vulnerabilities, the node could be compromised by an\nattacker.</p>\n<h5>What do I need to do?</h5>\n<p>UPnP on vulnerable versions was disabled by the coordination server. Update\nTailscale to version 1.48.1 or later to restore NAT traversal using UPnP for\nbetter node connectivity.</p>\n<p>We do not recommend disabling UPnP or other port-mapping protocols on your\nrouter. These protocols greatly improve connectivity for Tailscale and other\napplications.</p>",
   summary_detail: {
      base: "https://tailscale.com/security-bulletins/index.xml",
      language: null,
      type: "text/html",
      value: "<p><strong><em>Description</em></strong>: An issue in the Tailscale client, combined with a behavior\nof the UPnP implementations in some routers, could expose all UDP ports of a\nnode to external networks (usually the internet).</p>\n<p>As of 2023-08-22 2:30 AM UTC, we have changed the Tailscale coordination server\nto advise nodes to stop using UPnP for port mapping. In some cases this can\ndegrade NAT traversal and may cause some connections to route through DERP.\nThis may increase node-to-node latency and decrease throughput. Version 1.48.1\nresolves the issue and re-enables port mapping via UPnP.</p>\n<h5>What happened?</h5>\n<p>Tailscale nodes use UPnP as one of the mechanisms to open UDP port forwarding\nin routers to help with NAT traversal. Tailscale picks a node port and an\nexternal router port and requests forwarding between them. On first start\nTailscale requested external port <code>0</code>, which many routers interpret as a\nrequest to pick a random available port. However, some routers interpret this\nas a request to listen on all external ports and forward traffic to matching\nnode ports.</p>\n<p>Depending on the router's implementation of UPnP, a node could end up open to\nall UDP traffic from external networks. If some processes listen on UDP ports\non the node, this could be used as a vector of attack against other software\nrunning on the node.</p>\n<p>Any firewall software running on the node would be able to stop unwanted UDP\npackets, if configured to do so.</p>\n<p>The bug was discovered and fixed on 2023-08-21, and the fix was published in\nthe 1.48.1 release.</p>\n<h5>Who is affected?</h5>\n<p>The only known vulnerable routers are those running the <code>miniupnpd</code> server,\nversions 1.9 (2016) or earlier. Other UPnP server implementations may also be\nvulnerable, but Tailscale is not aware of any as of 2023-08-22.</p>\n<p>A small percentage of nodes listened on router port <code>0</code> via UPnP before the\nmitigation was deployed. All nodes running vulnerable versions now have UPnP\nport mapping disabled.</p>\n<h5>What is the impact?</h5>\n<p>Any node service listening on UDP ports from any IP could receive traffic from\nexternal networks. This only applies to networks where the router implements\nUPnP wildcard port support.</p>\n<p>If such a service does not implement authentication and/or authorization,\nallows packets to trigger sensitive actions, or has separate\nremotely-exploitable vulnerabilities, the node could be compromised by an\nattacker.</p>\n<h5>What do I need to do?</h5>\n<p>UPnP on vulnerable versions was disabled by the coordination server. Update\nTailscale to version 1.48.1 or later to restore NAT traversal using UPnP for\nbetter node connectivity.</p>\n<p>We do not recommend disabling UPnP or other port-mapping protocols on your\nrouter. These protocols greatly improve connectivity for Tailscale and other\napplications.</p>",
   },
   title: "TS-2023-006",
   title_detail: {
      base: "https://tailscale.com/security-bulletins/index.xml",
      language: null,
      type: "text/plain",
      value: "TS-2023-006",
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.