Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in tailscale.com/cmd: GHSA-vqp6-rc3h-83cp #1120

Closed
GoVulnBot opened this issue Nov 21, 2022 · 3 comments
Closed
Assignees
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-vqp6-rc3h-83cp, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
tailscale/tailscale.com/cmd 1.32.3 < 1.32.3

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: TODO
    versions:
      - fixed: 1.32.3
    packages:
      - package: tailscale/tailscale.com/cmd
description: "A vulnerability identified in the Tailscale Windows client allows a
    malicious website to reconfigure the Tailscale daemon `tailscaled`, which can
    then be used to remotely execute code.\n\n**Affected platforms:** Windows\n**Patched
    Tailscale client versions:** v1.32.3 or later, v1.33.257 or later (unstable)\n\n###
    What happened?\nIn the Tailscale Windows client, the local API was bound to a
    local TCP socket, and communicated with the Windows client GUI in cleartext with
    no Host header verification. This allowed an attacker-controlled website visited
    by the node to rebind DNS to an attacker-controlled DNS server, and then make
    local API requests in the client, including changing the coordination server to
    an attacker-controlled coordination server.\n\n### Who is affected?\nAll Windows
    clients prior to version v.1.32.3 are affected.\n\n### What should I do?\nIf you
    are running Tailscale on Windows, upgrade to v1.32.3 or later to remediate the
    issue.\n\n### What is the impact?\nAn attacker-controlled coordination server
    can send malicious URL responses to the client, including pushing executables
    or installing an SMB share. These allow the attacker to remotely execute code
    on the node.\n\nReviewing all logs confirms this vulnerability was not triggered
    or exploited. \n\n### Credits\nWe would like to thank [Emily Trau](https://github.com/emilytrau)
    and [Jamie McClymont (CyberCX)](https://twitter.com/JJJollyjim) for reporting
    this issue. Further detail is available in [their blog post](https://emily.id.au/tailscale).\n\n###
    References\n* [TS-2022-004](https://tailscale.com/security-bulletins/#ts-2022-004)\n*
    [Researcher blog post](https://emily.id.au/tailscale)\n\n### For more information\nIf
    you have any questions or comments about this advisory, [contact Tailscale support](https://tailscale.com/contact/support/).\n"
cves:
  - CVE-2022-41924
ghsas:
  - GHSA-vqp6-rc3h-83cp

@jba jba self-assigned this Nov 22, 2022
@jba jba added the excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable. label Nov 22, 2022
@julieqiu julieqiu assigned julieqiu and unassigned jba Nov 29, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/453935 mentions this issue: data/excluded: batch add GO-2022-1119 and GO-2022-1120

@julieqiu julieqiu changed the title x/vulndb: potential Go vuln in tailscale/tailscale.com/cmd: GHSA-vqp6-rc3h-83cp x/vulndb: potential Go vuln in tailscale.com: GHSA-vqp6-rc3h-83cp Nov 29, 2022
@julieqiu julieqiu changed the title x/vulndb: potential Go vuln in tailscale.com: GHSA-vqp6-rc3h-83cp x/vulndb: potential Go vuln in tailscale.com/cmd: GHSA-vqp6-rc3h-83cp Nov 29, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592835 mentions this issue: data/reports: unexclude 50 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607231 mentions this issue: data/reports: unexclude 20 reports (29)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
  - data/reports/GO-2022-1079.yaml
  - data/reports/GO-2022-1080.yaml
  - data/reports/GO-2022-1081.yaml
  - data/reports/GO-2022-1089.yaml
  - data/reports/GO-2022-1099.yaml
  - data/reports/GO-2022-1100.yaml
  - data/reports/GO-2022-1105.yaml
  - data/reports/GO-2022-1106.yaml
  - data/reports/GO-2022-1107.yaml
  - data/reports/GO-2022-1119.yaml
  - data/reports/GO-2022-1120.yaml
  - data/reports/GO-2022-1121.yaml
  - data/reports/GO-2022-1132.yaml
  - data/reports/GO-2022-1135.yaml
  - data/reports/GO-2022-1138.yaml
  - data/reports/GO-2022-1147.yaml
  - data/reports/GO-2022-1151.yaml
  - data/reports/GO-2022-1152.yaml
  - data/reports/GO-2022-1153.yaml
  - data/reports/GO-2022-1154.yaml

Updates #1079
Updates #1080
Updates #1081
Updates #1089
Updates #1099
Updates #1100
Updates #1105
Updates #1106
Updates #1107
Updates #1119
Updates #1120
Updates #1121
Updates #1132
Updates #1135
Updates #1138
Updates #1147
Updates #1151
Updates #1152
Updates #1153
Updates #1154

Change-Id: Ice57e62cbaec73a848639ed6de50434eac91a368
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607231
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Commit-Queue: Tatiana Bradley <tatianabradley@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: NOT_IMPORTABLE This vulnerability only exists in a binary and is not importable.
Projects
None yet
Development

No branches or pull requests

4 participants