Cyber Resilience

CVE-2022-41924

CriticalPublic PoC

Published: 23 November 2022

Published
23 November 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.5356 98.0th percentile
Risk Priority 51 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-41924 is a critical-severity Origin Validation Error (CWE-346) vulnerability in Tailscale Tailscale. Its CVSS base score is 9.6 (Critical).

Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability is a DNS rebinding and insufficient origin-validation flaw in the Tailscale Windows client that exposes the local tailscaled API. The client bound its local API to a TCP socket and exchanged unauthenticated cleartext messages without Host-header checks, allowing a web page to reconfigure the daemon. All Windows clients prior to version 1.32.3 are affected.

An attacker who persuades a Tailscale node operator to visit a malicious website can exploit the issue to rebind DNS, issue local API calls that point the client at an attacker-controlled coordination server, and then receive malicious responses that push executables or mount SMB shares, resulting in remote code execution on the node. The attack requires no authentication beyond the victim browsing the attacker’s site and carries a CVSS 3.1 score of 9.6.

Public advisories from Tailscale and the associated GitHub Security Advisory GHSA-vqp6-rc3h-83cp state that the only remediation is to upgrade the Windows client to version 1.32.3 or later; no work-arounds are offered.

The current EPSS of 0.5356 (peak 0.5372) indicates sustained moderate exploitation interest after disclosure.

EU & UK References

Vulnerability details

A vulnerability identified in the Tailscale Windows client allows a malicious website to reconfigure the Tailscale daemon `tailscaled`, which can then be used to remotely execute code. In the Tailscale Windows client, the local API was bound to a local…

more

TCP socket, and communicated with the Windows client GUI in cleartext with no Host header verification. This allowed an attacker-controlled website visited by the node to rebind DNS to an attacker-controlled DNS server, and then make local API requests in the client, including changing the coordination server to an attacker-controlled coordination server. An attacker-controlled coordination server can send malicious URL responses to the client, including pushing executables or installing an SMB share. These allow the attacker to remotely execute code on the node. All Windows clients prior to version v.1.32.3 are affected. If you are running Tailscale on Windows, upgrade to v1.32.3 or later to remediate the issue.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

tailscale
tailscale
≤ 1.32.3

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-352

Awareness training educates users on avoiding untrusted links and actions that can be exploited via CSRF.

addresses: CWE-352

Requiring user re-entry of credentials for sensitive actions prevents automated forgery of requests without active user participation.

addresses: CWE-346

Requires unique identification of the service before communications, addressing failures to validate the origin of the interaction.

addresses: CWE-352

Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications.

addresses: CWE-346

Trusted path establishment enforces validation that the communication originates from and reaches only the intended trusted system components.

addresses: CWE-346

Enforces validation of the true origin of DNS responses via signatures and chain-of-trust mechanisms.

addresses: CWE-346

Enforces origin validation of name/address data, eliminating reliance on unverified or impersonated DNS sources.

addresses: CWE-346

Mandates origin validation so that only legitimate endpoints can continue the authenticated session.

References