Description
This release of Teleport contains 2 security fixes as well as multiple improvements and bug fixes.
[High] OS authorization bypass in SSH tunneling
When establishing an SSH port forwarding connection, Teleport did not
sufficiently validate the specified OS principal.
This could allow an attacker in possession of valid cluster credentials to
establish a TCP tunnel to a node using a non-existent Linux user.
The connection attempt would show up in the audit log as a "port" audit event
(code T3003I) and include a Teleport username in the "user" field.
[High] Teleport authorization bypass in Kubernetes Access
When authorizing a Kubernetes Access request, Teleport did not adequately
validate the target Kubernetes cluster.
This could allow an attacker in possession of valid Kubernetes agent credentials
or a join token to trick Teleport into forwarding requests to a different
Kubernetes cluster.
Every Kubernetes request would show up in the audit log as a "kube.request"
audit event (code T3009I) and include the Kubernetes cluster metadata.
[Medium] Moderated sessions leave behavior
Fixed issue with moderated session being terminated after a short delay instead
of being immediately paused when moderator leaves.
Other improvements and fixes
- AMIs
- Added support for configuring TLS routing mode in AMIs. #23676
- Application Access
- Access Management
- Added per-session MFA support to connection testers. #22922
- Performance & scalability
- Database Access
- Server Access
- Desktop Access
- Kubernetes Access
- Auto-discovery
- Fixed issue with open-source package being installed for enterprise clusters. #22768
- Trusted Clusters
- Added ability to update role map without having to recreate the trusted cluster resource. #23645
- Tooling
- CLI
- Resource Joining
- FIPS
- Fixed startup issue in FIPS mode when
local_auth
isn't explicitly set. #22242
- Fixed startup issue in FIPS mode when
- Web UI
- Fixed intermittent "client connection is closing" errors in web UI after logging in. #23736
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
labels: security-patch=yes