Unraid Authentication Bypass Vulnerability in WebGUI via Tailscale Integration

An authentication bypass vulnerability has been identified in Unraid versions 7.0.0 prior to 7.0.1. When a container is set to 'Host' networking mode and 'Use Tailscale' is enabled, remote users can access the Unraid WebGUI and web console as root without authentication. This occurs because the Tailscale integration, introduced in Unraid 7.0.0, allows traffic to the WebGUI port to be perceived as coming from localhost, bypassing authentication. Users connecting through the Tailscale device can gain root access to the WebGUI and the built-in web terminal.

Impact

Exploitation of this vulnerability allows remote users to access the Unraid WebGUI and web console as root, without authentication.

Reproduction

To reproduce this vulnerability, first, ensure that Unraid 7.0.0 is installed. Then, enable the Tailscale integration on a container running in 'Host' networking mode. Once the container is running, provide a user access to the Tailscale device associated with that container. The user can then access the Unraid WebGUI by navigating to the Tailscale address, omitting the port number, which defaults to 80 or 443. This will result in unauthorized root access to the WebGUI and web console.

Remediation

Users can upgrade to Unraid version 7.0.1 or later, where this vulnerability has been addressed. Alternatively, Tailscale integration can be disabled for containers in 'Host' mode, or Tailscale ACLs can be used to restrict access to the WebGUI port via the Tailscale device. Another option is to modify the nginx configuration to disable the authentication bypass for localhost, although this change will need to be reapplied after each server restart.