Description
This release of Teleport contains 4 security fixes as well as multiple improvements and bug fixes.
[Critical] Privilege escalation via host user creation
When using automatic Linux user creation, an attacker could exploit a race condition in the user creation functionality to create arbitrary files on the system as root writable by the created user.
This could allow the attacker to escalate their privileges to root.
Users who aren't using automatic Linux host user creation aren’t affected by this vulnerability.
[High] Insufficient auth token verification when signing self-hosted database certificates
When signing self-hosted database certificates, Teleport did not sufficiently validate the authorization token type.
This could allow an attacker to sign valid database access certificates using a guessed authorization token name.
Users who aren’t using self-hosted database access aren’t affected by this vulnerability.
[High] Privilege escalation via untrusted config file on Windows
When loading the global tsh configuration file tsh.yaml on Windows, Teleport would look for the file in a potentially untrusted directory.
This could allow a malicious user to create harmful command aliases for all tsh users on the system.
Users who aren’t using tsh on Windows aren’t affected by this vulnerability.
[High] XSS in SAML IdP
When registering a service provider with SAML IdP, Teleport did not sufficiently validate the ACS endpoint.
This could allow an attacker to execute arbitrary code at the client-side leading to privilege escalation.
This issue only affects Teleport Enterprise Edition. Enterprise users who aren’t using Teleport SAML IdP functionality aren’t affected by this vulnerability.
Other fixes and improvements
- Added
change_feed_conn_stringoption to PostgreSQL backend. #31938 - Added single-command AWS OIDC integration. #31790
- Added
pprofsupport to Kubernetes Operator to diagnose memory use. #31707 - Added support for bot and agent joining from external Kubernetes Clusters. #31703
- Extend EC2 joining to Discovery, MDM and Okta services. #31894
- Support discovery for new AWS region il-central-1. #31830 #31840
- Fails with an error if desktops are created with invalid names. #31766
- Fixed directory sharing in Desktop Access for non-ascii directory names. #31924
- Fixed a
MissingRegionerror that would sometimes occur when running the discovery bootstrap command #31701 - Fixed incorrect autofill in Safari. #31611
- Fixed terminal resizing bug in web terminal. #31586
- Fixed Session & Identity search bar. #31581
- Fixed desktop sessions' viewport size to the size of browser window at session start. #31524
- Fixed database and k8s cluster resource names to avoid name collisions. #30456
tctl sso configure githubnow includes default GitHub endpoints #31480tsh [proxy | db | kube]subcommands now support--queryand--labelsoptional arguments. #32087tshandtctlcan select an auto-discovered database or Kubernetes cluster by its original name instead of the more detailed name generated by the v14+ Teleport Discovery service. #32087tshtext-formatted output in non-verbose mode will display auto-discovered resources with original resource names instead of the more detailed names generated by the v14+ Teleport Discovery service. #32084 #32083- Updated discovery installers to work with SUSE zypper package manager. #31428
- Updated Go to v1.20.8 #31506
- Updated OpenSSL to 3.0.11 #32160
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
labels: security-patch=yes, security-patch-alts=v13.3.9