ts-2024-011
Vulnerability from tailscale

Description: SCIM group name disclosure via the ACL editor

What happened?

The ACL editor in the admin console did not check SCIM group names in the ACL rules against the tailnet name. This allowed tailnet A to use SCIM groups from tailnet B in their ACL rules. A malicious user in tailnet A could not gain access to target tailnet B this way. However, they could use the fact that ACLs get saved without warnings to learn about valid SCIM group names in other tailnets.

This issue was fixed on July 19th, 2024. A user trying to save ACLs with SCIM group names from other tailnets will always receive a warning that these groups do not exist, even if they do exist in other tailnets.

Who was affected?

None of the existing tailnets' ACLs appear to use SCIM group names from other tailnets maliciously. A handful of customers used the wrong SCIM group names from their production tailnets in their test tailnets by accident.

What was the impact?

A malicious user could learn about SCIM group names used in other tailnets.

What do I need to do?

No action is required.

Show details on source website

To clipboard 

{
  "guidislink": false,
  "id": "https://tailscale.com/security-bulletins/#ts-2024-011",
  "link": "https://tailscale.com/security-bulletins/#ts-2024-011",
  "links": [
    {
      "href": "https://tailscale.com/security-bulletins/#ts-2024-011",
      "rel": "alternate",
      "type": "text/html"
    }
  ],
  "published": "Mon, 22 Jul 2024 00:00:00 GMT",
  "summary": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: SCIM group name disclosure via the ACL editor\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eThe \u003ca href=\"https://tailscale.com/kb/1338/acl-edit\"\u003eACL editor\u003c/a\u003e in the admin console did not check \u003ca href=\"https://tailscale.com/kb/1290/user-group-provisioning\"\u003eSCIM\u003c/a\u003e\ngroup names in the ACL rules against the tailnet name. This allowed tailnet A\nto use SCIM groups from tailnet B in their ACL rules. A malicious user in\ntailnet A could not gain access to target tailnet B this way. However, they\ncould use the fact that ACLs get saved without warnings to learn about valid\nSCIM group names in other tailnets.\u003c/p\u003e\n\u003cp\u003eThis issue was fixed on July 19th, 2024. A user trying to save ACLs with SCIM\ngroup names from other tailnets will always receive a warning that these groups\ndo not exist, even if they do exist in other tailnets.\u003c/p\u003e\n\u003ch4\u003eWho was affected?\u003c/h4\u003e\n\u003cp\u003eNone of the existing tailnets\u0027 ACLs appear to use SCIM group names from other\ntailnets maliciously. A handful of customers used the wrong SCIM group names\nfrom their production tailnets in their test tailnets by accident.\u003c/p\u003e\n\u003ch4\u003eWhat was the impact?\u003c/h4\u003e\n\u003cp\u003eA malicious user could learn about SCIM group names used in other tailnets.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003eNo action is required.\u003c/p\u003e",
  "summary_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/html",
    "value": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: SCIM group name disclosure via the ACL editor\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eThe \u003ca href=\"https://tailscale.com/kb/1338/acl-edit\"\u003eACL editor\u003c/a\u003e in the admin console did not check \u003ca href=\"https://tailscale.com/kb/1290/user-group-provisioning\"\u003eSCIM\u003c/a\u003e\ngroup names in the ACL rules against the tailnet name. This allowed tailnet A\nto use SCIM groups from tailnet B in their ACL rules. A malicious user in\ntailnet A could not gain access to target tailnet B this way. However, they\ncould use the fact that ACLs get saved without warnings to learn about valid\nSCIM group names in other tailnets.\u003c/p\u003e\n\u003cp\u003eThis issue was fixed on July 19th, 2024. A user trying to save ACLs with SCIM\ngroup names from other tailnets will always receive a warning that these groups\ndo not exist, even if they do exist in other tailnets.\u003c/p\u003e\n\u003ch4\u003eWho was affected?\u003c/h4\u003e\n\u003cp\u003eNone of the existing tailnets\u0027 ACLs appear to use SCIM group names from other\ntailnets maliciously. A handful of customers used the wrong SCIM group names\nfrom their production tailnets in their test tailnets by accident.\u003c/p\u003e\n\u003ch4\u003eWhat was the impact?\u003c/h4\u003e\n\u003cp\u003eA malicious user could learn about SCIM group names used in other tailnets.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003eNo action is required.\u003c/p\u003e"
  },
  "title": "TS-2024-011",
  "title_detail": {
    "base": "https://tailscale.com/security-bulletins/index.xml",
    "language": null,
    "type": "text/plain",
    "value": "TS-2024-011"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.