CVE-2023-28436: Tailscale SSH Privilege Escalation Vulnerability in FreeBSD Implementation of setgroups System Call

A new security vulnerability, CVE-2023-28436, has been identified in the implementation of Tailscale SSH, starting in version 1.34. and prior to 1.38.2, in FreeBSD operating systems. Tailscale is a software that utilizes Wireguard and multi-factor authentication (MFA) for creating secure, user-friendly networks. This vulnerability allows affected users who have the appropriate access criteria to run commands with a higher privilege group ID than specified in Tailscale SSH access rules. Users who are affected by this vulnerability should immediately upgrade to Tailscale 1.38.2.

Links to Original References

- Tailscale Release Notes
- FreeBSD setgroups Documentation)

Exploit Details

The root cause of this vulnerability is a difference in the behavior of the FreeBSD setgroups system call, compared to the POSIX implementation. This difference led to the Tailscale client running on a FreeBSD-based operating system not appropriately restricting groups on the host when using Tailscale SSH.

When accessing a FreeBSD host over Tailscale SSH, the effective group ID (egid) of the tailscaled process was used instead of the user specified in Tailscale SSH access rules. As a result, Tailscale SSH commands may have been run with a higher privilege group ID than the intended group ID, specified in Tailscale SSH access rules.

Here is an example of how this vulnerability can be exploited

# On the vulnerable FreeBSD host:
$ tailscale version
1.34.

# On the attacking machine:
$ ssh -J tailscale@example.com non_root_user@100.64..2 id
uid=1001(non_root_user) gid=(wheel) groups=(wheel)

The above output shows that the attacking user non_root_user, who has successfully logged into the vulnerable FreeBSD host, has a group ID (wheel) instead of their intended group. This allows the user to run high-privileged commands when they should not have permission to do so.

This vulnerability is only exploitable on a FreeBSD device with Tailscale SSH enabled and Tailscale SSH access rules permitting access for non-root users. Additionally, the exploitation only occurs in non-interactive SSH sessions.

Remediation

Users affected by this vulnerability should upgrade to Tailscale version 1.38.2, which resolves the issue. The updated version of Tailscale correctly restricts groups on the host, eliminating potential privilege escalation.

# On the affected FreeBSD host:
$ sudo pkg update
$ sudo pkg upgrade tailscale

After the upgrade, the new Tailscale version can be verified

$ tailscale version
1.38.2

In conclusion, it is highly recommended that users of Tailscale on FreeBSD-based operating systems upgrade to the latest release to safeguard against this privilege escalation vulnerability (CVE-2023-28436). By doing so, users can continue to enjoy the security and convenience that Tailscale offers.

Timeline

Published on: 03/23/2023 20:15:00 UTC
Last modified on: 03/31/2023 13:28:00 UTC