Description: An issue in the Tailscale client, combined with a behavior
of the UPnP implementations in some routers, could expose all UDP ports of a
node to external networks (usually the internet).
As of 2023-08-22 2:30 AM UTC, we have changed the Tailscale coordination server
to advise nodes to stop using UPnP for port mapping. In some cases this can
degrade NAT traversal and may cause some connections to route through DERP.
This may increase node-to-node latency and decrease throughput. Version 1.48.1
resolves the issue and re-enables port mapping via UPnP.
What happened?
Tailscale nodes use UPnP as one of the mechanisms to open UDP port forwarding
in routers to help with NAT traversal. Tailscale picks a node port and an
external router port and requests forwarding between them. On first start
Tailscale requested external port 0
, which many routers interpret as a
request to pick a random available port. However, some routers interpret this
as a request to listen on all external ports and forward traffic to matching
node ports.
Depending on the router's implementation of UPnP, a node could end up open to
all UDP traffic from external networks. If some processes listen on UDP ports
on the node, this could be used as a vector of attack against other software
running on the node.
Any firewall software running on the node would be able to stop unwanted UDP
packets, if configured to do so.
The bug was discovered and fixed on 2023-08-21, and the fix was published in
the 1.48.1 release.
Who is affected?
The only known vulnerable routers are those running the miniupnpd
server,
versions 1.9 (2016) or earlier. Other UPnP server implementations may also be
vulnerable, but Tailscale is not aware of any as of 2023-08-22.
A small percentage of nodes listened on router port 0
via UPnP before the
mitigation was deployed. All nodes running vulnerable versions now have UPnP
port mapping disabled.
What is the impact?
Any node service listening on UDP ports from any IP could receive traffic from
external networks. This only applies to networks where the router implements
UPnP wildcard port support.
If such a service does not implement authentication and/or authorization,
allows packets to trigger sensitive actions, or has separate
remotely-exploitable vulnerabilities, the node could be compromised by an
attacker.
What do I need to do?
UPnP on vulnerable versions was disabled by the coordination server. Update
Tailscale to version 1.48.1 or later to restore NAT traversal using UPnP for
better node connectivity.
We do not recommend disabling UPnP or other port-mapping protocols on your
router. These protocols greatly improve connectivity for Tailscale and other
applications.