Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

x/vulndb: potential Go vuln in tailscale.com/cmd: GHSA-qccm-wmcq-pwr6 #1119

Closed
GoVulnBot opened this issue Nov 21, 2022 · 3 comments
Closed
Assignees
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-qccm-wmcq-pwr6, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
tailscale.com/cmd 1.32.3 < 1.32.3

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - fixed: 1.32.3
    packages:
      - package: tailscale.com/cmd
description: |-
    A vulnerability identified in the Tailscale client allows a malicious website to access the peer API, which can then be used to access Tailscale environment variables.

    **Affected platforms:** All
    **Patched Tailscale client versions:** v1.32.3 or later, v1.33.257 or later (unstable)

    ### What happened?
    In the Tailscale client, the peer API was vulnerable to DNS rebinding. This allowed an attacker-controlled website visited by the node to rebind DNS for the peer API to an attacker-controlled DNS server, and then making peer API requests in the client, including accessing the node’s Tailscale environment variables.

    ### Who is affected?
    All Tailscale clients prior to version v.1.32.3 are affected.

    ### What should I do?
    Upgrade to v1.32.3 or later to remediate the issue.

    ### What is the impact?
    An attacker with access to the peer API on a node could use that access to read the node’s environment variables, including any credentials or secrets stored in environment variables. This may include Tailscale authentication keys, which could then be used to add new nodes to the user’s tailnet. The peer API access could also be used to learn of other nodes in the tailnet or send files via Taildrop.

    An attacker with access to the peer API who sent a malicious file via Taildrop which was accessed while it was loading could use this to gain access to the local API, and remotely execute code.

    There is no evidence of this vulnerability being purposefully triggered or exploited.

    ### Credits
    We would like to thank [Emily Trau](https://github.com/emilytrau) and [Jamie McClymont (CyberCX)](https://twitter.com/JJJollyjim) for reporting this issue. Further detail is available in [their blog post](https://emily.id.au/tailscale).

    ### References
    * [TS-2022-005](https://tailscale.com/security-bulletins/#ts-2022-005)
    * [Researcher blog post](https://emily.id.au/tailscale)

    ### For more information
    If you have any questions or comments about this advisory, [contact Tailscale support](https://tailscale.com/contact/support/).
cves:
  - CVE-2022-41925
ghsas:
  - GHSA-qccm-wmcq-pwr6

@jba jba self-assigned this Nov 22, 2022
@jba jba added the excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. label Nov 22, 2022
@julieqiu julieqiu assigned julieqiu and unassigned jba Nov 29, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/453935 mentions this issue: data/excluded: batch add GO-2022-1119 and GO-2022-1120

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592835 mentions this issue: data/reports: unexclude 50 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607231 mentions this issue: data/reports: unexclude 20 reports (29)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
  - data/reports/GO-2022-1079.yaml
  - data/reports/GO-2022-1080.yaml
  - data/reports/GO-2022-1081.yaml
  - data/reports/GO-2022-1089.yaml
  - data/reports/GO-2022-1099.yaml
  - data/reports/GO-2022-1100.yaml
  - data/reports/GO-2022-1105.yaml
  - data/reports/GO-2022-1106.yaml
  - data/reports/GO-2022-1107.yaml
  - data/reports/GO-2022-1119.yaml
  - data/reports/GO-2022-1120.yaml
  - data/reports/GO-2022-1121.yaml
  - data/reports/GO-2022-1132.yaml
  - data/reports/GO-2022-1135.yaml
  - data/reports/GO-2022-1138.yaml
  - data/reports/GO-2022-1147.yaml
  - data/reports/GO-2022-1151.yaml
  - data/reports/GO-2022-1152.yaml
  - data/reports/GO-2022-1153.yaml
  - data/reports/GO-2022-1154.yaml

Updates #1079
Updates #1080
Updates #1081
Updates #1089
Updates #1099
Updates #1100
Updates #1105
Updates #1106
Updates #1107
Updates #1119
Updates #1120
Updates #1121
Updates #1132
Updates #1135
Updates #1138
Updates #1147
Updates #1151
Updates #1152
Updates #1153
Updates #1154

Change-Id: Ice57e62cbaec73a848639ed6de50434eac91a368
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607231
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Commit-Queue: Tatiana Bradley <tatianabradley@google.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.
Projects
None yet
Development

No branches or pull requests

4 participants