Incident Response to September 20th 2021

UPDATE: Version 1.6.6 is now released and contains an additional mitigation against this issue. We recommend upgrading.

Intro

On Sep 20th, Pulse Security published an advisory detailing conditions in which they were able to inject packets into a ZeroTier network.

Status

  • Patches were applied to address this vulnerability on June 18, 2021, and September 20, 2021.
  • Exploitation required specific conditions and detailed information about a target.
  • We have no evidence that this vulnerability was ever exploited in the wild.
  • Our roots are now fully patched and additional mitigations are in place.
  • We will release a patch today that contains endpoint mitigations rendering the attack impossible. Upgrading is strongly recommended.

Summary

It was possible for an attacker to impersonate a ZeroTier node and inject packets into a network, under very specific circumstances. It required the generation of an identity whose address collides with another authorized node on a network, a task demanding significant compute resources, and detailed knowledge of the authorized member list for a target network.

Conditions Required for Attack

The following conditions were required to be true at the same time:

  • The attacker has generated an identity collision with an attacking address.
  • The attacking address must be authorized to the victim’s network.
  • Network rules must allow communication between attacker and victim.
  • For bi-directional communication, the attacker must establish a direct peer to peer link to the victim, before the victim has established one with the authentic node.
  • The victim does not have the real identity of the attacking address cached. This can occur if they have not communicated for 30 days or more.
  • The roots must permit multiple valid identities with the same address.

To demonstrate the attack, Pulse Security generated two arbitrary colliding identities and pre-seeded an environment. This is significantly easier than targeting an existing identity, due to the birthday paradox. Attacking a live target would have been considerably more expensive but not outside the reach of a well resourced attacker.

Mitigations So Far

  • Removed all support on roots for multiple identities with the same address.
  • Re-enabled full identity verification for all nodes connected to roots (this was done in June in response to the original report).
  • Implemented a mitigation in the ZeroTier core to render this attack impossible even in the presence of a colliding address or improperly configured roots. This will be released later today. Upgrading is recommended but not required.
  • Going forward we are planning to add tests for these scenarios to our validation pipeline.

Conclusion

We would like to take a moment to thank Pulse Security for bringing this issue to our attention and providing detailed information to assist us in developing a fix.