Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential security issue #1620

Closed
JamieSlome opened this issue Apr 10, 2022 · 5 comments
Closed

Potential security issue #1620

JamieSlome opened this issue Apr 10, 2022 · 5 comments

Comments

@JamieSlome
Copy link

Hey there!

I belong to an open source security research community, and a member (@ycdxsb) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)
@erikh
Copy link
Contributor

erikh commented Apr 10, 2022

Hey there, I've notified the powers that be to offer a response, but they may not be available until Monday at the earliest. If you could be so kind as to make no public disclosure in the meantime, that'd be ideal.

Thanks for your research and the impetus for us to create this file.

@adamierymenko
Copy link
Contributor

You can e-mail adam.ierymenko@zerotier.com with an encrypted message to key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFT3eTEBEADUYiqJO6wA1mdWj4fEmUbUi3ounMeHqR+Z7Ofu9hqwacsJ3Dgi
goODLVCRsVkIAS9c9AaU7Ioj/Noa/2OFh6336GnLtJf0T4oWjXQqH2DeOGRgTjYW
zQUVr9pL+7Yta7aFZX/hihA3FdeON12AXsuuGpVxBS4paSAjsQmhyzBJUo9+G6in
+9kSDF4j5eHTnXL7bcw3qrgdiwZ64OzlRAp6oge1OmRWh21dbg1kqhMgVuUvxmc5
wK5qKc88pKVtJ6APg6uWw2PrwThe40SKrDI77vzEK2DH8CHlKrXPNiMcPS+4+bga
iTeAaPtpKSMwL+CDSBy85MAA4f0uDCG0KYiOIDEblZmgT5u2mqguoLIbJskp637j
ZOcUyW2OqkSSIVrTY0c11pElrXs4BA7z9VpEN0fKNRbBy++r8rCnGGycgQ9cyqkD
PUe68ouzA/1Xce6wFjvGXVhO7TCo95QV9NV7KwZkcdglykUwpylxWlAFMj1QJNiZ
jjjxkJYUsUWZT4GOMJgpGcCsM5JWef275dOza/NhSa0i69Nb8j1yii1FlGJWpLho
+7ujV5fFA71tuLgKvttKF7ZFcn8jWuchYPLICdZKTglym1QAaU/T1jbpXdNPlP0D
q+yl9Mrackz0qPSsni0s4G8fNbJLTNpwRIn0+NhddAIhoNEqQ3MpMgyMeQARAQAB
tCxBZGFtIEllcnltZW5rbyA8YWRhbS5pZXJ5bWVua29AemVyb3RpZXIuY29tPokC
NwQTAQoAIQUCVPd5MQIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRDIh3zy
16XX82gcD/97CYIQ5Z7I47VmYu5zrwiwuXZ6Hi5/zkbUHnkelBHjIcRCVR5WNCt6
GGVMGOY2HVz55suIjwgUL6d+i0nof6kk4xSVB9rkGHaA97yfAmvXrhz15pUMpGHc
TgV3UQe03ZeRSX1oy5sFLU+gCZeP23Q5YhZd9S1Ja9N8n2wc8RA/8Jm3/5+SN36E
egZr1JbOah1z/VLShQB464JHir/PEy0kJ2B3VwZc6mt4XKYuPAR0PJu4/OB7WqLz
2zeAO3Q3op/U/SwtpJBmcqBv3xPkxgxDP3eOqL0fUn5h/PKpXOA1Y9Nyv22hE+XJ
J8OiisfxO3Me/qCcIZnPnw7ljQMOmiMr8HLRCwcKJFnLkW1//uSZiTAADkvvT2cy
PCiIHUX5WLMXTBlXBmTOnGVP/s6vqHkQY01+IJQmECydOeK3f+0i47G1MQBTPL89
/x3Ts48COVbuATC/4q85ESoh4EIWdEAv5IYrTfRWiLT/xoCjUg0AwWRgH3n3YKWK
9EyD7BT6KOdLDzzxehR3DucxNcmxErLC8TOgoDkAATQ4G5shMzMMlsIvi/ur+WC4
rdXejrW/+NiTUWk5Wj7O/DKgyrJgFIWh9gD1lN7uG9IrxQp0DkFjpPQpt9OdCkkw
OGM9K3bTnCFdfx8CYpTMx5w8Dl9k0dbqMu9QrnN6iolSeoDb+hLpxrkCDQRU93kx
ARAAx034Yb/B58ZD/WbbEwtkeHc2i4hnoeW7/y6GKN7pcVRN1NBlb2R9E1XYzPKW
t/7oFHGoWPUTAq0VpAFvTFA/BPY3mYD6nYYA5n0ySJNAtR9UOYMXdkmaon5bsKr9
24rcv88BwpX6aerLydygg8XHbo16fWHrDff2kAtrE4jbQLuVlAYhoqHwS7CnmoTU
2VzK1B32jLfKtDIMPIM/ltQtFYw8Ike0l+QGoNlc30FyzWcM4Sj1Dma6UHHoLocD
mwprP1ygtmFjYuGAE4Q0lVerwIIhL23q+a1a7SS9yxyP/0Fyln2TkrsKm0Fdl5xA
/4+o1XriokaJNreNMTMdZCJN7XhUvdotwb+o3IlAXUfJa1KFKwk0+dzqUPg64dvu
pkHNtDXI/zmJJz/UGEstKzhyc6+7GBn3CYAbB4ho5fkSAOOiGmajAQNRVE2VCNMS
OBbqxdsgFD7sXsnW3DQP2UBS5FbmHtn/9t3bT4WD9yP5xJOwVleEwZo6hTC47TWd
VszABXKmu7yZWE+zM7s1s7qUhY29GJcHtqVMh5xW7wj3sVGxomVq/cd5ihAqc2HA
RqYFJNJRpWVqVOtc0XsIHP9MnNZ3plcPqaKCPmedxq0Z6kiJ1LmqaHlRMjr0Hqkk
DrvyrEdkIahO5l4hReqWkPdPt5WycaaENmeU2QDcCkXspcUAEQEAAYkCHwQYAQoA
CQUCVPd5MQIbDAAKCRDIh3zy16XX88X8EADLR5xW62wFLzz3b4iDi97T+z1wcHZo
fElCwyOyuGozWEcQ3z7qUTonTCtC6Dz+4B45hi+SVTUHZO90gmIUcLTzbR+cXtsx
jTrZI0jzpZnvPNJAQ5EuoEoJS0Nt5udA8SIFCGit4dkEYiF4PgTrA+LcRgaqrA/z
V7x2re8/mV8yF4sksgkotEki7LOxS5vFc0iboOHrdNLOSmXRhbhm7KuzYAvvMbRD
kHga3p/mRn1cxNv/LuLryzNx4J6yu6L+JARY+J79IrUBVxBxlJfsy2h2dWG8kao7
9gZfE4R/UQ5Hk6yzspI4B+4FB4XnHXLCs4NN5rZQTsMwwYXDBxq+NrEaQhEG2pAb
bbzpRtN1IzHBTFAzifjOCQowceNL2TJLwuVD5nB1nZcEC/qci4OcBrb3+numh4y8
1cj/f0Ox4ziT5RVLNswywSaXvXsrW+ScJcXVdYZq1pY70lf6gLyIxlcD4aRVfE+7
//P+Cpj08ix2wa16kiCRjkrwaPgawY9aPOMLMpKsgDx5lpjHowmNKXbvwA4ryblb
yNB+FTgcfTajYoVQXTDLTFOUZcafYgpesQqpjvGtupg/wqhr18/R7mXZdRPzcYNQ
bjVUvBB7Lm7KA+yMMlCrpk7vzfqkDbq4+FDW2fIHewVR7XGCZSViwtyTzEs/1TXO
jBFdhYkn0QjkIA==
=v+nz
-----END PGP PUBLIC KEY BLOCK-----

@JamieSlome
Copy link
Author

@erikh @adamierymenko - thanks for your responses 👍

I will get an e-mail sent over to the address mentioned above now :)

Just for reference, the report can be found directly here:
https://huntr.dev/bounties/e7835226-1b20-4546-b256-3f625badb022/

It is private and only accessible to maintainers with repository write permissions. Let me know if you have any questions.

@someara
Copy link
Contributor

someara commented Apr 11, 2022

Got this patched up and released as 1.8.8. Thanks!
-s

@someara
Copy link
Contributor

someara commented Apr 11, 2022

This was a Windows Local Privelege esclation, released as CVE-2022-1316.

https://www.zerotier.com/2022/04/11/zerotier-for-windows-local-privilege-escalation/

Fixed in ffb444d

@someara someara closed this as completed Apr 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@erikh @someara @adamierymenko @JamieSlome