ts-2024-007
Vulnerability from tailscale

Description: Incorrect DNS resolution with split DNS on macOS and iOS

What happened?

On Tailscale macOS and iOS clients with split DNS configurations (like App Connectors or Restricted Nameservers), lookups of bare tailnet node names could in rare cases return incorrect answers. For example, if a node mynode and an App Connector for *.example.com exist on a tailnet, DNS lookups for mynode could return the answer for mynode.example.com instead of the local tailnet IP. This mis-configuration is intermittent, and most often triggers for a few seconds when switching device networks (for example from Wi-Fi to a phone hotspot).

We fixed this bug in client version 1.68.0, and notified the security contacts of potentially affected tailnets over email.

Who was affected?

All tailnets that use App Connectors or Restricted Domains, and have macOS or iOS nodes could have been affected.

This bug is usually intermittently-triggered when switching networks in our experience. Only lookups of bare domains, like mynode but not mynode.mytailnet.ts.net, are at risk.

Note that not all split DNS domains are dangerous. Only domains where an attacker can choose their FQDN to match a node name, and controls the destination to receive non-TLS traffic could be abused.

We are not aware of any active exploitation of this vulnerability.

What was the impact?

For a split DNS domain example.com, an attacker with control over mynode.example.com can impersonate a non-TLS server running on node mynode on the tailnet. This attack is opportunistic and passive - it relies on the user connecting to mynode using its bare domain and cannot be forced remotely.

What do I need to do?

Upgrade your macOS and iOS clients to 1.68.0 or later.

Show details on source website

To clipboard 

{
   guidislink: false,
   id: "https://tailscale.com/security-bulletins/#ts-2024-007",
   link: "https://tailscale.com/security-bulletins/#ts-2024-007",
   links: [
      {
         href: "https://tailscale.com/security-bulletins/#ts-2024-007",
         rel: "alternate",
         type: "text/html",
      },
   ],
   published: "Wed, 12 Jun 2024 00:00:00 GMT",
   summary: "<p><strong><em>Description</em></strong>: Incorrect DNS resolution with split DNS on macOS and iOS</p>\n<h5>What happened?</h5>\n<p>On Tailscale macOS and iOS clients with split DNS configurations (like <a href=\"https://tailscale.com/kb/1281/app-connectors\">App\nConnectors</a> or <a href=\"https://tailscale.com/kb/1054/dns#nameservers\">Restricted\nNameservers</a>), lookups of bare tailnet node names\ncould in rare cases return incorrect answers. For example, if a node <code>mynode</code>\nand an App Connector for <code>*.example.com</code> exist on a tailnet, DNS lookups for\n<code>mynode</code> could return the answer for <code>mynode.example.com</code> instead of the local\ntailnet IP. This mis-configuration is intermittent, and most often triggers for\na few seconds when switching device networks (for example from Wi-Fi to a phone\nhotspot).</p>\n<p>We fixed this bug in client version 1.68.0, and notified the security contacts\nof potentially affected tailnets over email.</p>\n<h5>Who was affected?</h5>\n<p>All tailnets that use App Connectors or Restricted Domains, and have macOS or\niOS nodes could have been affected.</p>\n<p>This bug is usually intermittently-triggered when switching networks in our\nexperience. Only lookups of bare domains, like <code>mynode</code> but not\n<code>mynode.mytailnet.ts.net</code>, are at risk.</p>\n<p>Note that not all split DNS domains are dangerous. Only domains where an\nattacker can choose their FQDN to match a node name, and controls the\ndestination to receive non-TLS traffic could be abused.</p>\n<p>We are not aware of any active exploitation of this vulnerability.</p>\n<h5>What was the impact?</h5>\n<p>For a split DNS domain <code>example.com</code>, an attacker with control over\n<code>mynode.example.com</code> can impersonate a non-TLS server running on node <code>mynode</code>\non the tailnet. This attack is opportunistic and passive - it relies on the\nuser connecting to <code>mynode</code> using its bare domain and cannot be forced\nremotely.</p>\n<h5>What do I need to do?</h5>\n<p>Upgrade your macOS and iOS clients to 1.68.0 or later.</p>",
   summary_detail: {
      base: "https://tailscale.com/security-bulletins/index.xml",
      language: null,
      type: "text/html",
      value: "<p><strong><em>Description</em></strong>: Incorrect DNS resolution with split DNS on macOS and iOS</p>\n<h5>What happened?</h5>\n<p>On Tailscale macOS and iOS clients with split DNS configurations (like <a href=\"https://tailscale.com/kb/1281/app-connectors\">App\nConnectors</a> or <a href=\"https://tailscale.com/kb/1054/dns#nameservers\">Restricted\nNameservers</a>), lookups of bare tailnet node names\ncould in rare cases return incorrect answers. For example, if a node <code>mynode</code>\nand an App Connector for <code>*.example.com</code> exist on a tailnet, DNS lookups for\n<code>mynode</code> could return the answer for <code>mynode.example.com</code> instead of the local\ntailnet IP. This mis-configuration is intermittent, and most often triggers for\na few seconds when switching device networks (for example from Wi-Fi to a phone\nhotspot).</p>\n<p>We fixed this bug in client version 1.68.0, and notified the security contacts\nof potentially affected tailnets over email.</p>\n<h5>Who was affected?</h5>\n<p>All tailnets that use App Connectors or Restricted Domains, and have macOS or\niOS nodes could have been affected.</p>\n<p>This bug is usually intermittently-triggered when switching networks in our\nexperience. Only lookups of bare domains, like <code>mynode</code> but not\n<code>mynode.mytailnet.ts.net</code>, are at risk.</p>\n<p>Note that not all split DNS domains are dangerous. Only domains where an\nattacker can choose their FQDN to match a node name, and controls the\ndestination to receive non-TLS traffic could be abused.</p>\n<p>We are not aware of any active exploitation of this vulnerability.</p>\n<h5>What was the impact?</h5>\n<p>For a split DNS domain <code>example.com</code>, an attacker with control over\n<code>mynode.example.com</code> can impersonate a non-TLS server running on node <code>mynode</code>\non the tailnet. This attack is opportunistic and passive - it relies on the\nuser connecting to <code>mynode</code> using its bare domain and cannot be forced\nremotely.</p>\n<h5>What do I need to do?</h5>\n<p>Upgrade your macOS and iOS clients to 1.68.0 or later.</p>",
   },
   title: "TS-2024-007",
   title_detail: {
      base: "https://tailscale.com/security-bulletins/index.xml",
      language: null,
      type: "text/plain",
      value: "TS-2024-007",
   },
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.