This release of Teleport contains multiple security fixes.
Description
As part of a routine security audit of Teleport, several security vulnerabilities and miscellaneous issues were discovered in Teleport 4.4, 5, 6, and 7. We strongly suggest upgrading to the latest release.
Details
Below are the issues found, their impact, and the components of Teleport they affect.
Server Access
An attacker with privileged network position could forge SSH host certificates that Teleport would incorrectly validate in specific code paths.The specific paths of concern are:
-
Using
tshwith an identity file (commonly used for service accounts). This could lead to potentially leaking of sensitive commands the service account runs or in the case of proxy recording mode, the attacker could also gain control of the SSH agent being used. -
Teleport agents could incorrectly connect to an attacker controlled cluster. Note, this would not give the attacker access or control of resources (like SSH, Kubernetes, Applications, or Database servers) because Teleport agents will still reject all connections without a valid x509 or SSH user certificate.
Database Access
When connecting to a Postgres database, an attacker could craft a database name or a username in a way that would have allowed them control over the resulting connection string.
An attacker could have probed connections to other reachable database servers and alter connection parameters such as disable TLS or connect to a database authenticated by a password.
All
During an internal security exercise our engineers have discovered a vulnerability in Teleport build infrastructure affecting Teleport 4.4, 5, 6, and 7 that could have been potentially used to alter build artifacts. We have found no evidence of any exploitation. In an effort to be open and transparent with our customers, we encourage all customers to upgrade to the latest patch release.
Actions
For all users, we recommend upgrading all components of their Teleport cluster. If upgrading all components is not possible, we recommend upgrading tsh and Teleport agents (including trusted cluster proxies) that use reverse tunnels.
Upgrades should follow the normal Teleport upgrade procedure: https://goteleport.com/teleport/docs/admin-guide/#upgrading-teleport.
Breaking changes
You will no longer be able to connect to OpenSSH nodes that present public keys or certificates not signed by Teleport via web UI. Use OpenSSH client or tsh with insecure flag to connect to such nodes.
Download
Download one of the following releases to mitigate the issue:
- Teleport 7.1.1
- Teleport 6.2.12
- Teleport 5.2.4
- Teleport 4.4.11
Download the current and previous releases of Teleport at https://gravitational.com/teleport/download.