TS-2023-008
Description: Privilege escalation bugs in the Tailscale Kubernetes operator’s API proxy allowed authenticated tailnet clients to send Kubernetes API requests as the operator’s service account.
Tailscale Kubernetes operator version v1.53.37 fixes the issue and users of the operator who enable the API proxy functionality should update as described below.
What happened?
The Tailscale Kubernetes operator can optionally act as an API server proxy for the cluster’s Kubernetes API. This proxy allows authenticated tailnet users to use their tailnet identity in Kubernetes authentication and RBAC rules. The API server proxy uses impersonation headers to translate tailnet identities to Kubernetes identities.
The operator prior to v1.53.37 has two bugs in the forwarding logic, which affects different modes of operation:
- In the default proxy mode that applies Tailscale identity to
proxied requests, incorrect header sanitization allowed a request
with a crafted
Connection
header to drop the impersonation headers from the proxied request. This caused the proxied request to be authenticated as the operator’s service account, and inherit the operator’s permissions. - In the no-auth proxy mode, which does not apply Tailscale identity to forwarded requests, a specially crafted request could similarly cause the proxied request to use the operator’s identity, with similar results.
The bug was reported by Mo Khan from Microsoft on 2023-11-01, and fixed on the same day.
Who is affected?
Tailnets using the API server proxy in Tailscale Kubernetes operator images with the following tags are affected:
unstable-v1.53.20
or earlierunstable
deployed before the tag was updated to 1.53.37, some time on 2023-11-01.
Operator users running in the default operator configuration are not affected, as the API proxy is not enabled by default.
What is the impact?
Authenticated tailnet users who have access to the operator’s API proxy can make requests to the Kubernetes API with operator privileges. In the proxy mode that allows the operator to use impersonation, this can be used for further privilege escalation to other cluster identities.
External attackers cannot exploit this vulnerability without being a member of the tailnet.
What do I need to do?
Update the Tailscale Kubernetes operator image to version unstable-v1.53.37 or later.
If you used the official operator manifest
file,
download the new manifest file and run kubectl apply -f manifest.yaml
.
If you used the Helm chart, set the
operatorConfig.image.tag
to unstable-v1.53.37
in the values.yaml
file and run helm upgrade <path-to-chart-directory> -n tailscale -f <path-to-values-file>
If you wrote your own manifest or Helm chart, update the k8s-operator
image
tag to unstable-v1.53.37
and redeploy it.