GRC Viewpoint

Tailscale VPN nodes Susceptible to DNS rebinding

A set of flaws contained in Tailscale, an open-source mesh VPN software, can have disastrous impacts. Leveraging the susceptibility, hackers could stage RCE attacks (remote code execution) against the VPN nodes. The process is called tailscaled, which includes receiving/sending packets and connecting nodes. 

A distinct process extends a user interface along with a tray icon to monitor and configure the services. This front-end interface later communicates with the services (the telescaled service) through LocalAPI, an HTTP API

READ MORE: Securing Post-covid Enterprise Networks: Why It Can Be a Herculean Task?

“Rebinding is a bug with niche applicability (HTTP services listening on private networks with no explicit authentication), usually discussed in the context of IoT devices. It’s the type of thing there are talks about at hacker conferences and such. Yet, I’ve never encountered a situation where it’s exploitable during a pentest job,” says Jamie McClymont, a security researcher. 

Suppose a cyber hacker can perform a rebinding DNS attack on the Tailscale node. In that case, it is possible to map their malicious domain to local IPs to send arbitrary commands to LocalAPIs.

READ MORE: Some Cyber Security Researchers Need to Upgrade Physical Security

LocalAPI has been unable to authenticate client requests besides verifying that they are all from the same sources running Tailscale GUI. 

It is possible to exploit this feature by malicious websites to alter the control plane of Tailscale to arbitrary servers. The Control plane stores VPN nodes public keys. 

The hacker would require a file’s full path to run the latter. Additionally, the attacker needs the victim’s user name for the purpose. The attacker prompts an SMB path through the Tailscale network in order to send the username (windows) to the Tailnet server (attacker-controlled).

Related Articles

Latest Articles