CVE-2023-28436

Name of the Vulnerable Software and Affected Versions Tailscale versions 1.34.0 through 1.38.2

Description A vulnerability in the implementation of Tailscale SSH on FreeBSD allows commands to be run with a higher privilege group ID than that specified in Tailscale SSH access rules. This issue arises due to a difference in the behavior of the FreeBSD setgroups system call from POSIX, which prevents the Tailscale client from appropriately restricting groups on the host when using Tailscale SSH. As a result, when accessing a FreeBSD host over Tailscale SSH, the egid of the tailscaled process is used instead of that of the user specified in Tailscale SSH access rules. Approximately 9 tailnets with 22 FreeBSD nodes may have been affected since Tailscale version 1.34.

Recommendations For Tailscale versions 1.34.0 through 1.38.2, upgrade to version 1.38.2 or later to remediate the issue. To update the local ports tree in advance, users can edit the Makefile to set PORTVERSION to 1.38.2, then run make makesum and make install. As a temporary workaround, consider restricting access to Tailscale SSH on FreeBSD devices until the issue is resolved.