CVE-2022-41924 - Critical vulnerability in Tailscale Windows client allows remote code execution through malicious website

A critical vulnerability, assigned the CVE identifier CVE-2022-41924, has been discovered in the Tailscale Windows client that can potentially allow an attacker to remotely execute code on the affected node. This vulnerability originates from the poorly secured communication between the Tailscale daemon tailscaled and the Windows client GUI, giving malicious websites the ability to reconfigure the client and subsequently gain control over the node.

Impact

The exploitation of this vulnerability can lead to the takeover of the Tailscale Windows client node by an attacker, permitting remote code execution and unauthorized access to the node. The flaw affects all Windows clients running Tailscale versions prior to v1.32.3.

Technical Details

The root cause of this vulnerability is the lack of proper security measures when communicating between the Tailscale daemon tailscaled and the Windows client GUI. The local API was bound to a local TCP socket without any Host header verification, allowing cleartext communication.

An attacker can exploit this vulnerability by having the victim visit a malicious website they control. The website can change the DNS settings of the client, effectively rebinding its DNS to an attacker-controlled DNS server. Subsequently, the attacker can make local API requests in the client, including changing the coordination server to an attacker-controlled coordination server.

Once an attacker-controlled coordination server is established, the attacker can send malicious URL responses to the client, which may include pushing executables or installing an SMB share. This enables the attacker to remotely execute code on the affected node.

Proof of Concept (Code Snippet)

import socket

# Replace the following with the actual IP address and port of the Tailscale local API
TARGET_IP = '192.168.1.100'
TARGET_PORT = 4242

payload = b'PUT /localapi/v/prefs HTTP/1.1\r\nHost: localhost\r\nContent-Type: application/json\r\nContent-Length: 71\r\n\r\n{"Persist": {"Provider": "Manual", "LoginName": "attacker@localhost"}}'

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((TARGET_IP, TARGET_PORT))
sock.sendall(payload)
response = sock.recv(4096)
sock.close()

print(response)

Mitigation

To fix this vulnerability, users are advised to update their Tailscale Windows clients to version v1.32.3 or later. This update addresses the issue by implementing proper security measures in the API communication, preventing malicious websites from exploiting the vulnerability.

References

1. Tailscale Changelog
2. Tailscale Security Advisory

Conclusion

CVE-2022-41924 is a critical vulnerability in the Tailscale Windows client that can lead to remote code execution on the affected node. Users are highly recommended to update their Tailscale clients to the latest version as soon as possible to protect against potential attacks exploiting this vulnerability.

Timeline

Published on: 11/23/2022 19:15:00 UTC
Last modified on: 12/01/2022 15:45:00 UTC