Forwarded from 层叠 - The Cascading
浏览器的 DNS rebinding 问题和 Tailscale 的数个检查疏忽共同构成了一系列包含远程代码执行 (RCE) 的漏洞。
建议所有 Windows 用户立即更新至 1.32.3 或更新版本。漏洞发现者也建议尽快更新其它平台上设备的 Tailscale 版本。
- https://emily.id.au/tailscale
- https://tailscale.com/security-bulletins/#ts-2022-004
seealso: HackerNews:33695886
CVE: CVE-2022-41924
CVSS: 9.6 (Critical)
#CVE #Tailscale #RCE
建议所有 Windows 用户立即更新至 1.32.3 或更新版本。漏洞发现者也建议尽快更新其它平台上设备的 Tailscale 版本。
- https://emily.id.au/tailscale
- https://tailscale.com/security-bulletins/#ts-2022-004
seealso: HackerNews:33695886
CVE: CVE-2022-41924
CVSS: 9.6 (Critical)
#CVE #Tailscale #RCE
emily.id.au
CVE-2022-41924 - RCE in Tailscale, DNS Rebinding, and You
TL;DR Recommendations
MiaoTony's Box
浏览器的 DNS rebinding 问题和 Tailscale 的数个检查疏忽共同构成了一系列包含远程代码执行 (RCE) 的漏洞。 建议所有 Windows 用户立即更新至 1.32.3 或更新版本。漏洞发现者也建议尽快更新其它平台上设备的 Tailscale 版本。 - https://emily.id.au/tailscale - https://tailscale.com/security-bulletins/#ts-2022-004 seealso: HackerNews:33695886…
#今天又看了啥 #security #CVE #tailscale
CVE-2022-41924
Description: A vulnerability identified in the Tailscale Windows client allows a malicious website to reconfigure the Tailscale daemon tailscaled, which can then be used to remotely execute code.
Affected platforms: Windows
Patched Tailscale client versions: v1.32.3 or later, v1.33.257 or later (unstable)
What happened?
In the Tailscale Windows client, the local API was bound to a local TCP socket, and communicated with the Windows client GUI in cleartext with no Host header verification. This allowed an attacker-controlled website visited by the node to rebind DNS to an attacker-controlled DNS server, and then make local API requests in the client, including changing the coordination server to an attacker-controlled coordination server.
Who is affected?
All Windows clients prior to version v1.32.3 are affected.
What should I do?
If you are running Tailscale on Windows, upgrade to v1.32.3 or later to remediate the issue.
What is the impact?
An attacker-controlled coordination server can send malicious URL responses to the client, including pushing executables or installing an SMB share. These allow the attacker to remotely execute code on the node.
Reviewing all logs confirms this vulnerability was not triggered or exploited.
CVE-2022-41924
Description: A vulnerability identified in the Tailscale Windows client allows a malicious website to reconfigure the Tailscale daemon tailscaled, which can then be used to remotely execute code.
Affected platforms: Windows
Patched Tailscale client versions: v1.32.3 or later, v1.33.257 or later (unstable)
What happened?
In the Tailscale Windows client, the local API was bound to a local TCP socket, and communicated with the Windows client GUI in cleartext with no Host header verification. This allowed an attacker-controlled website visited by the node to rebind DNS to an attacker-controlled DNS server, and then make local API requests in the client, including changing the coordination server to an attacker-controlled coordination server.
Who is affected?
All Windows clients prior to version v1.32.3 are affected.
What should I do?
If you are running Tailscale on Windows, upgrade to v1.32.3 or later to remediate the issue.
What is the impact?
An attacker-controlled coordination server can send malicious URL responses to the client, including pushing executables or installing an SMB share. These allow the attacker to remotely execute code on the node.
Reviewing all logs confirms this vulnerability was not triggered or exploited.
#tailscale
✉️ Tailscale <info@tailscale.com>
Changes to your Tailscale plan
Changes to Tailscale Pricing and Plans
Today we announced new plans, pricing, and licensing. Some significant changes are that the Personal plan is now called Free, and it includes nearly everything that Tailscale has to offer for up to 3 users and 100 devices. You read that right, your plan just got better.
We’ve also introduced usage-based billing so if you add more than 3 users you will only pay for the number of active users on your tailnet each month.
You can find full plan details on our pricing page and more information in our pricing FAQ.
- The Tailscale Team
TL;DR 免费额度更多了,支持3用户100设备
✉️ Tailscale <info@tailscale.com>
Changes to your Tailscale plan
Changes to Tailscale Pricing and Plans
Today we announced new plans, pricing, and licensing. Some significant changes are that the Personal plan is now called Free, and it includes nearly everything that Tailscale has to offer for up to 3 users and 100 devices. You read that right, your plan just got better.
We’ve also introduced usage-based billing so if you add more than 3 users you will only pay for the number of active users on your tailnet each month.
You can find full plan details on our pricing page and more information in our pricing FAQ.
- The Tailscale Team
TL;DR 免费额度更多了,支持3用户100设备
Tailscale
Pricing v3, plans, packages, and debugging
Today we’re announcing the third generation of Tailscale plans and pricing. Most noticeably: The Free plan is expanding from one to three users. Monthly paid plans now include three free users, and bill you only for additional users who actively exchange…
#今天又看了啥 #tailscale #network #vscode
Bring your tailnet to VS Code
https://tailscale.com/blog/tailscale-vscode/
We’re releasing a Tailscale extension for Visual Studio Code, a text editor we hear is pretty popular. The new extension, now in beta, brings the magic of your tailnet even closer to your code and makes it easier than ever to share your local development over the internet for collaboration, testing, and experimentation.
You can install the extension from the VS Code Marketplace, or learn more about it in our documentation. It lets you use Tailscale directly in VS Code on macOS and Windows platforms.
Tailscale 家新出了个开源的 VS Code 插件,可以方便地将本机端口转发到公网上,以便于开发调试
感觉和 Cloudflare Tunnel 差不多的样子(
GitHub repo: https://github.com/tailscale-dev/vscode-tailscale
Bring your tailnet to VS Code
https://tailscale.com/blog/tailscale-vscode/
We’re releasing a Tailscale extension for Visual Studio Code, a text editor we hear is pretty popular. The new extension, now in beta, brings the magic of your tailnet even closer to your code and makes it easier than ever to share your local development over the internet for collaboration, testing, and experimentation.
You can install the extension from the VS Code Marketplace, or learn more about it in our documentation. It lets you use Tailscale directly in VS Code on macOS and Windows platforms.
Tailscale 家新出了个开源的 VS Code 插件,可以方便地将本机端口转发到公网上,以便于开发调试
感觉和 Cloudflare Tunnel 差不多的样子(
GitHub repo: https://github.com/tailscale-dev/vscode-tailscale
Tailscale
Bring your tailnet to VS Code: Extension for Seamless Development
Discover the Tailscale extension for VS Code, bringing the power of your tailnet directly to your development environment. Easily expose local services, collaborate, and test securely with Tailscale Funnel."