Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/vulndb: potential Go vuln in tailscale.com: GHSA-vfgq-g5x8-g595 #1671

Closed
GoVulnBot opened this issue Mar 23, 2023 · 3 comments
Closed

x/vulndb: potential Go vuln in tailscale.com: GHSA-vfgq-g5x8-g595 #1671

GoVulnBot opened this issue Mar 23, 2023 · 3 comments
Assignees
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-vfgq-g5x8-g595, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
tailscale.com 1.38.2 >= 1.34.0, < 1.38.2

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: tailscale.com
    versions:
      - introduced: 1.34.0
        fixed: 1.38.2
    packages:
      - package: tailscale.com
summary: Non-interactive Tailscale SSH sessions on FreeBSD may use the effective group
    ID of the tailscaled process
description: |+
    A vulnerability identified in the implementation of Tailscale SSH in FreeBSD allowed commands to be run with a higher privilege group ID than that specified by Tailscale SSH access rules.

    **Affected platforms**: FreeBSD

    **Patched Tailscale client versions**: v1.38.2 or later

    ### What happened?
    A difference in the behavior of the FreeBSD `setgroups` system call from POSIX meant that the Tailscale client running on a FreeBSD-based operating system did not appropriately restrict groups on the host when using Tailscale SSH. When accessing a FreeBSD host over Tailscale SSH, the egid of the tailscaled process was used instead of that of the user specified in Tailscale SSH access rules.

    ### Who is affected?
    9 tailnets with 22 FreeBSD nodes running Tailscale SSH since Tailscale v1.34 (released on 2022-12-04) may have had Tailscale SSH sessions with a higher privilege group ID than that specified in Tailscale SSH access rules.

    We have notified the affected organizations where we have [security contacts](https://tailscale.com/kb/1224/contact-preferences/#setting-the-security-issues-email).

    ### What is the impact?
    Tailscale SSH commands may have been run with a higher privilege group ID than that specified in Tailscale SSH access rules if they met all of the following criteria:
    * The destination node was a FreeBSD device with Tailscale SSH enabled;
    * Tailscale SSH access rules permitted access for non-root users; and
    * A non-interactive SSH session was used.

    ### What do I need to do?
    If you are running Tailscale on FreeBSD, upgrade to v1.38.2 or later to remediate the issue. Admins of a tailnet can view [FreeBSD nodes with unpatched versions](https://login.tailscale.com/admin/machines?q=version%3A%3C1.38.2+freebsd) in the admin console.

    To update the local ports tree in advance of what's available upstream, you can:

    1. `cd /usr/ports/security/tailscale`
    2. edit the Makefile to set `PORTVERSION` to `1.38.2`
    3. `make makesum`
    4. `make install`

    Tailscale SSH on other platforms is not affected.

    ### Credits
    We would like to thank [Ryan Belgrave](https://www.linkedin.com/in/rbelgrave/) for reporting this issue.

    ### References
    * [TS-2023-003](https://tailscale.com/security-bulletins/#ts-2023-003)


cves:
  - CVE-2023-28436
ghsas:
  - GHSA-vfgq-g5x8-g595
references:
  - advisory: https://github.com/tailscale/tailscale/security/advisories/GHSA-vfgq-g5x8-g595
  - fix: https://github.com/tailscale/tailscale/commit/d00c046b723dff6e3775d7d35f891403ac21a47d
  - web: https://github.com/tailscale/tailscale/releases/tag/v1.38.2
  - web: https://tailscale.com/security-bulletins/#ts-2023-003
  - advisory: https://github.com/advisories/GHSA-vfgq-g5x8-g595

@jba jba self-assigned this Mar 23, 2023
@jba jba added the excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. label Mar 23, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/479297 mentions this issue: data/excluded: batch add GO-2023-1674, GO-2023-1671, GO-2023-1670, GO-2023-1669, GO-2023-1668, GO-2023-1667, GO-2023-1662, GO-2023-1661, GO-2023-1660, GO-2023-1659, GO-2023-1658, GO-2023-1657, GO-2023-1656, GO-2023-1655, GO-2023-1654, GO-2023-1653, GO-2023-1673, GO-2023-1666, GO-2023-1665

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592760 mentions this issue: data/reports: unexclude 75 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/606784 mentions this issue: data/reports: unexclude 20 reports (4)

gopherbot pushed a commit that referenced this issue Aug 20, 2024
  - data/reports/GO-2023-1643.yaml
  - data/reports/GO-2023-1644.yaml
  - data/reports/GO-2023-1651.yaml
  - data/reports/GO-2023-1652.yaml
  - data/reports/GO-2023-1653.yaml
  - data/reports/GO-2023-1654.yaml
  - data/reports/GO-2023-1655.yaml
  - data/reports/GO-2023-1656.yaml
  - data/reports/GO-2023-1657.yaml
  - data/reports/GO-2023-1658.yaml
  - data/reports/GO-2023-1659.yaml
  - data/reports/GO-2023-1660.yaml
  - data/reports/GO-2023-1661.yaml
  - data/reports/GO-2023-1662.yaml
  - data/reports/GO-2023-1670.yaml
  - data/reports/GO-2023-1671.yaml
  - data/reports/GO-2023-1682.yaml
  - data/reports/GO-2023-1683.yaml
  - data/reports/GO-2023-1685.yaml
  - data/reports/GO-2023-1699.yaml

Updates #1643
Updates #1644
Updates #1651
Updates #1652
Updates #1653
Updates #1654
Updates #1655
Updates #1656
Updates #1657
Updates #1658
Updates #1659
Updates #1660
Updates #1661
Updates #1662
Updates #1670
Updates #1671
Updates #1682
Updates #1683
Updates #1685
Updates #1699

Change-Id: Iddcfb6c5438e03827049eecbf0a95fae6c078436
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/606784
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Tatiana Bradley <tatianabradley@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Development

No branches or pull requests

3 participants