ts-2024-009
Vulnerability from tailscale

Description: Potential for API credential disclosure over plaintext HTTP

What happened?

The Tailscale API is primarily accessible over TLS-encrypted HTTP at api.tailscale.com. It also has a limited plaintext HTTP handler to serve HTTP to HTTPS redirects.

Browsers that connect over plaintext HTTP do not send cookies marked as Secure to prevent them from being disclosed to network intermediaries.

However, API clients that connect using plaintext HTTP and send requests with authentication tokens in headers have no such protections to prevent disclosure.

Before June 26, 2024, the Tailscale API did not reject credentialed plaintext API requests and instead served them HTTP 302 redirects as it would to browsers. Typical HTTP client libraries handle redirects transparently, and consequently, the user would not necessarily know their credentials had been exposed.

Starting on June 26, 2024, the Tailscale API now returns errors for all plaintext HTTP requests that include credentials. Additionally, the Tailscale API now automatically revokes API keys that it observes sent over HTTP and notifies Tailnet security owners of this action.

Who was affected?

Any Tailscale API client that connected over plaintext HTTP using credentials before June 26, 2024.

What was the impact?

API clients that connected over plaintext HTTP before June 26, 2024 would have exposed their credentials to network intermediaries, risking them to theft and replay.

What do I need to do?

No action is needed at this time.

Credits

Thanks to Joachim Viide for reporting this issue.

Show details on source website


{
  "guidislink": false,
  "id": "https://tailscale.com/security-bulletins/#ts-2024-009",
  "link": "https://tailscale.com/security-bulletins/#ts-2024-009",
  "links": [
    {
      "href": "https://tailscale.com/security-bulletins/#ts-2024-009",
      "rel": "alternate",
      "type": "text/html"
    }
  ],
  "published": "Thu, 27 Jun 2024 00:00:00 GMT",
  "summary": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: Potential for API credential disclosure over plaintext HTTP\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eThe \u003ca href=\"https://tailscale.com/kb/1101/api\"\u003eTailscale API\u003c/a\u003e is primarily accessible over TLS-encrypted HTTP at\n\u003ccode\u003eapi.tailscale.com\u003c/code\u003e. It also has a limited plaintext HTTP handler to serve HTTP\nto HTTPS redirects.\u003c/p\u003e\n\u003cp\u003eBrowsers that connect over plaintext HTTP do not send cookies marked as \u003ccode\u003eSecure\u003c/code\u003e\nto prevent them from being disclosed to network intermediaries.\u003c/p\u003e\n\u003cp\u003eHowever, API clients that connect using plaintext HTTP and send requests\nwith authentication tokens in headers have no such protections to prevent\ndisclosure.\u003c/p\u003e\n\u003cp\u003eBefore June 26, 2024, the Tailscale API did not reject credentialed plaintext\nAPI requests and instead served them HTTP 302 redirects as it would to browsers.\nTypical HTTP client libraries handle redirects transparently, and consequently, the user\nwould not necessarily know their credentials had been exposed.\u003c/p\u003e\n\u003cp\u003eStarting on June 26, 2024, the Tailscale API now returns errors for all plaintext\nHTTP requests that include credentials. Additionally, the Tailscale API now\nautomatically revokes API keys that it observes sent over HTTP and notifies\nTailnet security owners of this action.\u003c/p\u003e\n\u003ch4\u003eWho was affected?\u003c/h4\u003e\n\u003cp\u003eAny Tailscale API client that connected over plaintext HTTP using credentials\nbefore June 26, 2024.\u003c/p\u003e\n\u003ch4\u003eWhat was the impact?\u003c/h4\u003e\n\u003cp\u003eAPI clients that connected over plaintext HTTP before June 26, 2024 would have\nexposed their credentials to network intermediaries, risking them to theft and\nreplay.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003eNo action is needed at this time.\u003c/p\u003e\n\u003ch4\u003eCredits\u003c/h4\u003e\n\u003cp\u003eThanks to \u003ca href=\"https://jviide.iki.fi/\"\u003eJoachim Viide\u003c/a\u003e for reporting this issue.\u003c/p\u003e",
  "summary_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/html",
    "value": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: Potential for API credential disclosure over plaintext HTTP\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eThe \u003ca href=\"https://tailscale.com/kb/1101/api\"\u003eTailscale API\u003c/a\u003e is primarily accessible over TLS-encrypted HTTP at\n\u003ccode\u003eapi.tailscale.com\u003c/code\u003e. It also has a limited plaintext HTTP handler to serve HTTP\nto HTTPS redirects.\u003c/p\u003e\n\u003cp\u003eBrowsers that connect over plaintext HTTP do not send cookies marked as \u003ccode\u003eSecure\u003c/code\u003e\nto prevent them from being disclosed to network intermediaries.\u003c/p\u003e\n\u003cp\u003eHowever, API clients that connect using plaintext HTTP and send requests\nwith authentication tokens in headers have no such protections to prevent\ndisclosure.\u003c/p\u003e\n\u003cp\u003eBefore June 26, 2024, the Tailscale API did not reject credentialed plaintext\nAPI requests and instead served them HTTP 302 redirects as it would to browsers.\nTypical HTTP client libraries handle redirects transparently, and consequently, the user\nwould not necessarily know their credentials had been exposed.\u003c/p\u003e\n\u003cp\u003eStarting on June 26, 2024, the Tailscale API now returns errors for all plaintext\nHTTP requests that include credentials. Additionally, the Tailscale API now\nautomatically revokes API keys that it observes sent over HTTP and notifies\nTailnet security owners of this action.\u003c/p\u003e\n\u003ch4\u003eWho was affected?\u003c/h4\u003e\n\u003cp\u003eAny Tailscale API client that connected over plaintext HTTP using credentials\nbefore June 26, 2024.\u003c/p\u003e\n\u003ch4\u003eWhat was the impact?\u003c/h4\u003e\n\u003cp\u003eAPI clients that connected over plaintext HTTP before June 26, 2024 would have\nexposed their credentials to network intermediaries, risking them to theft and\nreplay.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003eNo action is needed at this time.\u003c/p\u003e\n\u003ch4\u003eCredits\u003c/h4\u003e\n\u003cp\u003eThanks to \u003ca href=\"https://jviide.iki.fi/\"\u003eJoachim Viide\u003c/a\u003e for reporting this issue.\u003c/p\u003e"
  },
  "title": "TS-2024-009",
  "title_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/plain",
    "value": "TS-2024-009"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.