CVE-2022-41924 is a security vulnerability affecting the Tailscale Windows client versions prior to 1.32.3. The core issue lies in the local API of the Tailscale Windows client, which is bound to a local TCP socket and communicates with the Windows client GUI in cleartext without verifying the Host header. This lack of origin validation (CWE-346) allows a malicious website visited by the user to manipulate the Tailscale daemon (tailscaled) by issuing unauthorized local API requests. Specifically, an attacker can rebind the DNS settings to an attacker-controlled DNS server and change the coordination server to one under their control. The coordination server is responsible for managing network configurations and client updates. By controlling it, an attacker can send malicious URL responses to the client, including pushing executables or installing SMB shares, which can lead to remote code execution on the affected Windows node. This vulnerability is compounded by the absence of proper Cross-Site Request Forgery (CSRF) protections (CWE-352), enabling the attacker to perform these actions through a malicious website without user consent or interaction beyond visiting the site. The vulnerability does not require prior authentication but does require the user to visit a malicious website while running a vulnerable Tailscale Windows client. No known exploits in the wild have been reported to date. The vendor has addressed the issue in version 1.32.3 of the Tailscale Windows client, and upgrading to this or later versions mitigates the vulnerability.

For European organizations using Tailscale on Windows endpoints, this vulnerability poses a significant risk. Successful exploitation allows attackers to remotely execute arbitrary code on affected machines, potentially leading to full system compromise. This can result in data breaches, lateral movement within corporate networks, disruption of services, and deployment of ransomware or other malware. Since Tailscale is often used to create secure mesh VPNs for remote access and inter-office connectivity, compromising the client could undermine the security of the entire network infrastructure. The ability to reconfigure DNS and coordination servers could also facilitate man-in-the-middle attacks, data exfiltration, and persistent access. Given the ease of exploitation via a malicious website and the lack of authentication requirements, the attack surface is broad, especially for organizations with users who browse the internet on vulnerable clients. The impact is particularly critical for sectors with high-value data or critical infrastructure, such as finance, healthcare, and government agencies in Europe.

1. Immediate upgrade of all Tailscale Windows clients to version 1.32.3 or later is essential to remediate the vulnerability. 2. Implement network-level controls to restrict outbound DNS queries and coordination server communications to known, trusted IP addresses and domains to prevent unauthorized redirection. 3. Employ endpoint protection solutions capable of detecting anomalous local API calls or unexpected changes to network configurations. 4. Educate users about the risks of visiting untrusted websites, especially when connected to corporate networks via Tailscale. 5. Monitor network traffic for unusual DNS requests or connections to unknown coordination servers. 6. Consider deploying application whitelisting to prevent unauthorized executables from running, which could be pushed by an attacker-controlled coordination server. 7. For organizations with high security requirements, consider isolating Tailscale clients in segmented network zones to limit the impact of a compromised node. 8. Regularly audit and verify the integrity of Tailscale client configurations and coordination server settings.