- Description: An attacker gains full control over Tailscale's central coordination server. They could manipulate tailnet configurations, add rogue nodes, modify ACLs, or redirect traffic. The attacker might use sophisticated techniques like exploiting zero-day vulnerabilities in the server software or compromising Tailscale employee credentials.
- Impact: Complete compromise of all tailnets managed by the server. Loss of confidentiality, integrity, and availability of connected services. Exposure of tailnet metadata.
- Tailscale Component Affected: Coordination Server (central infrastructure managed by Tailscale).
- Risk Severity: Critical
- Mitigation Strategies:
- (Primarily Tailscale's responsibility): Rely on Tailscale's security measures, audits, and incident response.
- (Developer/User): Monitor your tailnet for unexpected changes using the Tailscale API. Implement alerts for new node additions or ACL modifications.
- (Developer/User - High Security): Consider using a self-hosted Headscale server, removing reliance on Tailscale's infrastructure (but increasing your operational security burden).
Threat: Tailnet ACL Misconfiguration
- Description: An attacker exploits overly permissive Access Control Lists (ACLs) within the tailnet. This could be due to human error, lack of understanding of the ACL system, or a "set and forget" approach. The attacker might leverage a compromised node to access resources they shouldn't have access to.
- Impact: Unauthorized access to sensitive services and data. Lateral movement within the tailnet, allowing an attacker to escalate privileges or compromise additional nodes.
- Tailscale Component Affected: ACLs (configuration within the Tailscale control panel or defined in a JSON file).
- Risk Severity: High
- Mitigation Strategies:
- (Developer/User): Implement the principle of least privilege. Grant only the minimum necessary access to each node.
- (Developer/User): Regularly audit and review ACLs. Automate this process where possible.
- (Developer/User): Use Tailscale's ACL testing tools to simulate and validate rules.
- (Developer/User): Use "deny by default" policies, explicitly allowing only necessary connections.
Threat: Unauthorized Node Addition
- Description: An attacker adds an unauthorized node to the tailnet. This could be achieved by stealing Tailscale credentials, exploiting vulnerabilities in the authentication process, or bypassing device approval mechanisms.
- Impact: The attacker gains access to the tailnet and its resources, subject to the configured ACLs. Potential for data exfiltration or disruption of services.
- Tailscale Component Affected: Tailscale authentication and authorization mechanisms (including OAuth flows, API keys, and device approval settings).
- Risk Severity: High
- Mitigation Strategies:
- (Developer/User): Enforce strong authentication (MFA) for all Tailscale accounts.
- (Developer/User): Enable device approval, requiring administrator approval for new devices.
- (Developer/User): Regularly review the list of authorized nodes and remove any unauthorized devices.
- (Developer/User): Monitor for new node additions using the Tailscale API.
- Description: An attacker obtains Tailscale API keys or OAuth credentials used for automation or integration. This could happen through accidental exposure (e.g., committing keys to a public repository), phishing, or compromising a developer's workstation.
- Impact: Full control over the tailnet. The attacker could add/remove nodes, modify ACLs, and potentially access data (depending on ACLs).
- Tailscale Component Affected: Tailscale API, OAuth integration.
- Risk Severity: Critical
- Mitigation Strategies:
- (Developer/User): Securely store API keys and credentials using a secrets management system.
- (Developer/User): Grant only the necessary permissions to API keys (principle of least privilege).
- (Developer/User): Regularly rotate API keys.
- (Developer/User): Monitor API usage for suspicious activity.