ts-2025-003
Vulnerability from tailscale
Description: Insecure non-constant time comparison in DERP server mesh authentication
What happened?
Tailscale's DERP (Designated Encrypted Relay for Packets) servers provide connectivity between Tailscale nodes in the event that they cannot mutually communicate due to network restrictions. DERP servers deployed in the same region communicate using a private mesh API to coordinate client connections amongst themselves. These private mesh connections authenticate using a pre-shared secret key.
The DERP servers previously used an insecure non-constant time comparison when verifying the mesh authentication secret. This would have allowed an attacker to discover the mesh secret by performing a side channel timing attack.
The issue was present since the introduction of DERP meshing and patched on May 21, 2025. We have updated all Tailscale-managed DERP servers and rotated their mesh secrets.
Who was affected?
All Tailscale-operated DERP servers and Tailscale users who operate their own custom DERP servers with more than one server per region.
What was the impact?
An attacker who discovered the mesh key could not see any plaintext traffic between nodes, since all traffic is end-to-end encrypted.
An attacker with mesh access would have been able to enumerate all peers connected to a DERP server, including their WireGuard public key and their source IP address and port.
An attacker with mesh access would have been able to perform a denial-of-service attack (DoS attack), prohibiting a node’s keys on any DERP servers by forcing disconnects of meshed DERP servers by using the ClosePeer API.
We have no evidence to indicate any abuse of this issue.
What do I need to do?
If you operate your own custom DERP servers in a mesh setup, you should update to the latest version and rotate any mesh keys that were previously in use.
Show details on source website{
"guidislink": false,
"id": "https://tailscale.com/security-bulletins/#ts-2025-003",
"link": "https://tailscale.com/security-bulletins/#ts-2025-003",
"links": [
{
"href": "https://tailscale.com/security-bulletins/#ts-2025-003",
"rel": "alternate",
"type": "text/html"
}
],
"published": "Wed, 21 May 2025 00:00:00 GMT",
"summary": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: Insecure non-constant time comparison in DERP server mesh authentication\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eTailscale\u0027s \u003ca href=\"https://tailscale.com/kb/1232/derp-servers\"\u003eDERP (Designated Encrypted Relay for Packets) servers\u003c/a\u003e provide connectivity between Tailscale nodes in the event that they cannot mutually communicate due to network restrictions. DERP servers deployed in the same region communicate using a private mesh API to coordinate client connections amongst themselves. These private mesh connections authenticate using a pre-shared secret key.\u003c/p\u003e\n\u003cp\u003eThe DERP servers previously used an insecure non-constant time comparison when verifying the mesh authentication secret. This would have allowed an attacker to discover the mesh secret by performing a side channel timing attack.\u003c/p\u003e\n\u003cp\u003eThe issue was present since the introduction of DERP meshing and patched on May 21, 2025. We have updated all Tailscale-managed DERP servers and rotated their mesh secrets.\u003c/p\u003e\n\u003ch4\u003eWho was affected?\u003c/h4\u003e\n\u003cp\u003eAll Tailscale-operated DERP servers and Tailscale users who operate their own custom DERP servers with more than one server per region.\u003c/p\u003e\n\u003ch4\u003eWhat was the impact?\u003c/h4\u003e\n\u003cp\u003eAn attacker who discovered the mesh key could not see any plaintext traffic between nodes, since all traffic is end-to-end encrypted.\u003c/p\u003e\n\u003cp\u003eAn attacker with mesh access would have been able to enumerate all peers connected to a DERP server, including their WireGuard public key and their source IP address and port.\u003c/p\u003e\n\u003cp\u003eAn attacker with mesh access would have been able to perform a denial-of-service attack (DoS attack), prohibiting a node\u2019s keys on any DERP servers by forcing disconnects of meshed DERP servers by using the \u003ca href=\"https://pkg.go.dev/tailscale.com/derp#Client.ClosePeer\"\u003eClosePeer\u003c/a\u003e API.\u003c/p\u003e\n\u003cp\u003eWe have no evidence to indicate any abuse of this issue.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003eIf you operate your own custom DERP servers in a mesh setup, you should update to the latest version and rotate any mesh keys that were previously in use.\u003c/p\u003e",
"summary_detail": {
"base": "https://tailscale.com/security-bulletins/index.xml",
"language": null,
"type": "text/html",
"value": "\u003cp\u003e\u003cstrong\u003e\u003cem\u003eDescription\u003c/em\u003e\u003c/strong\u003e: Insecure non-constant time comparison in DERP server mesh authentication\u003c/p\u003e\n\u003ch4\u003eWhat happened?\u003c/h4\u003e\n\u003cp\u003eTailscale\u0027s \u003ca href=\"https://tailscale.com/kb/1232/derp-servers\"\u003eDERP (Designated Encrypted Relay for Packets) servers\u003c/a\u003e provide connectivity between Tailscale nodes in the event that they cannot mutually communicate due to network restrictions. DERP servers deployed in the same region communicate using a private mesh API to coordinate client connections amongst themselves. These private mesh connections authenticate using a pre-shared secret key.\u003c/p\u003e\n\u003cp\u003eThe DERP servers previously used an insecure non-constant time comparison when verifying the mesh authentication secret. This would have allowed an attacker to discover the mesh secret by performing a side channel timing attack.\u003c/p\u003e\n\u003cp\u003eThe issue was present since the introduction of DERP meshing and patched on May 21, 2025. We have updated all Tailscale-managed DERP servers and rotated their mesh secrets.\u003c/p\u003e\n\u003ch4\u003eWho was affected?\u003c/h4\u003e\n\u003cp\u003eAll Tailscale-operated DERP servers and Tailscale users who operate their own custom DERP servers with more than one server per region.\u003c/p\u003e\n\u003ch4\u003eWhat was the impact?\u003c/h4\u003e\n\u003cp\u003eAn attacker who discovered the mesh key could not see any plaintext traffic between nodes, since all traffic is end-to-end encrypted.\u003c/p\u003e\n\u003cp\u003eAn attacker with mesh access would have been able to enumerate all peers connected to a DERP server, including their WireGuard public key and their source IP address and port.\u003c/p\u003e\n\u003cp\u003eAn attacker with mesh access would have been able to perform a denial-of-service attack (DoS attack), prohibiting a node\u2019s keys on any DERP servers by forcing disconnects of meshed DERP servers by using the \u003ca href=\"https://pkg.go.dev/tailscale.com/derp#Client.ClosePeer\"\u003eClosePeer\u003c/a\u003e API.\u003c/p\u003e\n\u003cp\u003eWe have no evidence to indicate any abuse of this issue.\u003c/p\u003e\n\u003ch4\u003eWhat do I need to do?\u003c/h4\u003e\n\u003cp\u003eIf you operate your own custom DERP servers in a mesh setup, you should update to the latest version and rotate any mesh keys that were previously in use.\u003c/p\u003e"
},
"title": "TS-2025-003",
"title_detail": {
"base": "https://tailscale.com/security-bulletins/index.xml",
"language": null,
"type": "text/plain",
"value": "TS-2025-003"
}
}
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.