CVE-2022-41924

Description from NVD

A vulnerability identified in the Tailscale Windows client allows a malicious website to reconfigure the Tailscale daemon `tailscaled`, which can then be used to remotely execute code. In the Tailscale Windows client, the local API was bound to a local TCP socket, and communicated with the Windows client GUI in cleartext with no Host header verification. This allowed an attacker-controlled website visited by the node to rebind DNS to an attacker-controlled DNS server, and then make local API requests in the client, including changing the coordination server to an attacker-controlled coordination server. An attacker-controlled coordination server can send malicious URL responses to the client, including pushing executables or installing an SMB share. These allow the attacker to remotely execute code on the node. All Windows clients prior to version v.1.32.3 are affected. If you are running Tailscale on Windows, upgrade to v1.32.3 or later to remediate the issue.

Information Acquisition Date:2022/12/01
CVSS 2.0: 0.0 None CVSS 3.x: 9.6 CRITICAL

NVD References

 https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_29.html
     source:MISC
     tags:
 https://crbug.com/1382581
     source:MISC
     tags:

Refer to Information on External Sites

CVE InfomationExploits or more Infomation
mitreEXPLOIT DATABASE
NVD0day.today
vulmon.comgithub
CVE DetailsTwitter
JVN ENG JPN
Reconshell

Software Tag: BIND(15 tweets) Java(2 tweets) Windows(31 tweets) Wordpress(1 tweets)



List of frequently cited URLs

URLNum of Times Referred to
https://cvetrends.com49
https://emily.id.au/tailscale24
https://news.ycombinator.com/item?id=3369588611
https://tailscale.com/security-bulletins/#ts-2022-00410

▼ Show Information from Twitter(96)


List of frequently cited URLs

URLNum of Times Referred to
cvetrends.com49
emily.id.au24
news.ycombinator.com11
tailscale.com10

▼ Show Information from Twitter(96)


GitHub Search Results: Up to 10
NameURL
No Data

GitHub Search Results: Up to 10
NameURL
No Data

2022/12/02 Score : 3
Added Har-sia Database : 2022/11/22
Last Modified : 2022/12/02
Highest Scored Date : 2022/11/22
Highest Score : 52