ts-2024-011
Vulnerability from tailscale
Description: SCIM group name disclosure via the ACL editor
What happened?
The ACL editor in the admin console did not check SCIM group names in the ACL rules against the tailnet name. This allowed tailnet A to use SCIM groups from tailnet B in their ACL rules. A malicious user in tailnet A could not gain access to target tailnet B this way. However, they could use the fact that ACLs get saved without warnings to learn about valid SCIM group names in other tailnets.
This issue was fixed on July 19th, 2024. A user trying to save ACLs with SCIM group names from other tailnets will always receive a warning that these groups do not exist, even if they do exist in other tailnets.
Who was affected?
None of the existing tailnets' ACLs appear to use SCIM group names from other tailnets maliciously. A handful of customers used the wrong SCIM group names from their production tailnets in their test tailnets by accident.
What was the impact?
A malicious user could learn about SCIM group names used in other tailnets.
What do I need to do?
No action is required.
Show details on source website{ guidislink: false, id: "https://tailscale.com/security-bulletins/#ts-2024-011", link: "https://tailscale.com/security-bulletins/#ts-2024-011", links: [ { href: "https://tailscale.com/security-bulletins/#ts-2024-011", rel: "alternate", type: "text/html", }, ], published: "Mon, 22 Jul 2024 00:00:00 GMT", summary: "<p><strong><em>Description</em></strong>: SCIM group name disclosure via the ACL editor</p>\n<h4>What happened?</h4>\n<p>The <a href=\"https://tailscale.com/kb/1338/acl-edit\">ACL editor</a> in the admin console did not check <a href=\"https://tailscale.com/kb/1290/user-group-provisioning\">SCIM</a>\ngroup names in the ACL rules against the tailnet name. This allowed tailnet A\nto use SCIM groups from tailnet B in their ACL rules. A malicious user in\ntailnet A could not gain access to target tailnet B this way. However, they\ncould use the fact that ACLs get saved without warnings to learn about valid\nSCIM group names in other tailnets.</p>\n<p>This issue was fixed on July 19th, 2024. A user trying to save ACLs with SCIM\ngroup names from other tailnets will always receive a warning that these groups\ndo not exist, even if they do exist in other tailnets.</p>\n<h4>Who was affected?</h4>\n<p>None of the existing tailnets' ACLs appear to use SCIM group names from other\ntailnets maliciously. A handful of customers used the wrong SCIM group names\nfrom their production tailnets in their test tailnets by accident.</p>\n<h4>What was the impact?</h4>\n<p>A malicious user could learn about SCIM group names used in other tailnets.</p>\n<h4>What do I need to do?</h4>\n<p>No action is required.</p>", summary_detail: { base: "https://tailscale.com/security-bulletins/index.xml", language: null, type: "text/html", value: "<p><strong><em>Description</em></strong>: SCIM group name disclosure via the ACL editor</p>\n<h4>What happened?</h4>\n<p>The <a href=\"https://tailscale.com/kb/1338/acl-edit\">ACL editor</a> in the admin console did not check <a href=\"https://tailscale.com/kb/1290/user-group-provisioning\">SCIM</a>\ngroup names in the ACL rules against the tailnet name. This allowed tailnet A\nto use SCIM groups from tailnet B in their ACL rules. A malicious user in\ntailnet A could not gain access to target tailnet B this way. However, they\ncould use the fact that ACLs get saved without warnings to learn about valid\nSCIM group names in other tailnets.</p>\n<p>This issue was fixed on July 19th, 2024. A user trying to save ACLs with SCIM\ngroup names from other tailnets will always receive a warning that these groups\ndo not exist, even if they do exist in other tailnets.</p>\n<h4>Who was affected?</h4>\n<p>None of the existing tailnets' ACLs appear to use SCIM group names from other\ntailnets maliciously. A handful of customers used the wrong SCIM group names\nfrom their production tailnets in their test tailnets by accident.</p>\n<h4>What was the impact?</h4>\n<p>A malicious user could learn about SCIM group names used in other tailnets.</p>\n<h4>What do I need to do?</h4>\n<p>No action is required.</p>", }, title: "TS-2024-011", title_detail: { base: "https://tailscale.com/security-bulletins/index.xml", language: null, type: "text/plain", value: "TS-2024-011", }, }
Log in or create an account to share your comment.
This schema specifies the format of a comment related to a security advisory.
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.