{ "schema_version": "1.4.0", "id": "GHSA-vfgq-g5x8-g595", "modified": "2023-03-23T22:09:19Z", "published": "2023-03-23T19:58:23Z", "aliases": [ "CVE-2023-28436" ], "summary": "Non-interactive Tailscale SSH sessions on FreeBSD may use the effective group ID of the tailscaled process", "details": "A vulnerability identified in the implementation of Tailscale SSH in FreeBSD allowed commands to be run with a higher privilege group ID than that specified by Tailscale SSH access rules.\n\n**Affected platforms**: FreeBSD\n\n**Patched Tailscale client versions**: v1.38.2 or later\n\n### What happened?\nA difference in the behavior of the FreeBSD `setgroups` system call from POSIX meant that the Tailscale client running on a FreeBSD-based operating system did not appropriately restrict groups on the host when using Tailscale SSH. When accessing a FreeBSD host over Tailscale SSH, the egid of the tailscaled process was used instead of that of the user specified in Tailscale SSH access rules.\n\n### Who is affected?\n9 tailnets with 22 FreeBSD nodes running Tailscale SSH since Tailscale v1.34 (released on 2022-12-04) may have had Tailscale SSH sessions with a higher privilege group ID than that specified in Tailscale SSH access rules.\n\nWe have notified the affected organizations where we have [security contacts](https://tailscale.com/kb/1224/contact-preferences/#setting-the-security-issues-email).\n\n### What is the impact?\nTailscale SSH commands may have been run with a higher privilege group ID than that specified in Tailscale SSH access rules if they met all of the following criteria:\n* The destination node was a FreeBSD device with Tailscale SSH enabled;\n* Tailscale SSH access rules permitted access for non-root users; and\n* A non-interactive SSH session was used.\n\n### What do I need to do?\nIf you are running Tailscale on FreeBSD, upgrade to v1.38.2 or later to remediate the issue. Admins of a tailnet can view [FreeBSD nodes with unpatched versions](https://login.tailscale.com/admin/machines?q=version%3A%3C1.38.2+freebsd) in the admin console.\n\nTo update the local ports tree in advance of what's available upstream, you can:\n\n1. `cd /usr/ports/security/tailscale`\n2. edit the Makefile to set `PORTVERSION` to `1.38.2`\n3. `make makesum`\n4. `make install`\n\nTailscale SSH on other platforms is not affected.\n\n### Credits\nWe would like to thank [Ryan Belgrave](https://www.linkedin.com/in/rbelgrave/) for reporting this issue.\n\n### References\n* [TS-2023-003](https://tailscale.com/security-bulletins/#ts-2023-003)\n\n\n", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.0/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N" } ], "affected": [ { "package": { "ecosystem": "Go", "name": "tailscale.com" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "1.34.0" }, { "fixed": "1.38.2" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/tailscale/tailscale/security/advisories/GHSA-vfgq-g5x8-g595" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28436" }, { "type": "WEB", "url": "https://github.com/tailscale/tailscale/commit/d00c046b723dff6e3775d7d35f891403ac21a47d" }, { "type": "PACKAGE", "url": "https://github.com/tailscale/tailscale" }, { "type": "WEB", "url": "https://github.com/tailscale/tailscale/releases/tag/v1.38.2" }, { "type": "WEB", "url": "https://tailscale.com/security-bulletins/#ts-2023-003" } ], "database_specific": { "cwe_ids": [ "CWE-269" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-03-23T19:58:23Z", "nvd_published_at": "2023-03-23T20:15:00Z" } }