CVE-2023-28436: 
Tailscale vulnerability analysis and mitigation

A vulnerability was identified in the implementation of Tailscale SSH starting in version 1.34.0 and prior to 1.38.2 in FreeBSD that allows commands to be run with a higher privilege group ID than that specified in Tailscale SSH access rules. The issue was discovered in March 2023 and affects FreeBSD-based systems using Tailscale SSH (GitHub Advisory, NVD).

The vulnerability stems from a difference in the behavior of the FreeBSD setgroups system call from POSIX standards. When accessing a FreeBSD host over Tailscale SSH, the egid (effective group ID) of the tailscaled process was used instead of that of the user specified in Tailscale SSH access rules. The CVSS v3.1 base score is 5.7 (Medium), with the vector string CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:N/A:N (GitHub Advisory).

The vulnerability affected 9 tailnets with 22 FreeBSD nodes running Tailscale SSH since version 1.34. The impact was that Tailscale SSH commands could be run with a higher privilege group ID than specified in access rules when all of the following conditions were met: the destination node was a FreeBSD device with Tailscale SSH enabled, Tailscale SSH access rules permitted access for non-root users, and a non-interactive SSH session was used (GitHub Advisory).

The vulnerability was fixed in Tailscale version 1.38.2. FreeBSD users should upgrade to this version or later to remediate the issue. For users who need to update the local ports tree in advance of what's available upstream, they can update by: cd /usr/ports/security/tailscale, edit the Makefile to set PORTVERSION to 1.38.2, then run make makesum and make install (GitHub Advisory).