We’ve upgraded all Teleport clusters from version 11.1.2 to 11.1.4.
This upgrade was done on all Teleport servers to fix potential vulnerabilties:
[Critical] RBAC bypass in SSH TCP tunneling
When establishing a direct-tcpip channel, Teleport did not sufficiently validate RBAC. This could allow an attacker in possession of valid cluster credentials to establish a TCP tunnel to a node they didn’t have access to. The connection attempt would show up in the audit log as a “port” audit event (code T3003I) and include Teleport username in the “user” field.
[High] Application Access session hijack
When accepting Application Access requests, Teleport did not sufficiently validate client credentials. This could allow an attacker in possession of a valid active application session ID to issue requests to this application impersonating the session owner for a limited time window. Presence of multiple “cert.create” audit events (code TC000I) with the same app session ID in the “route_to_app.session_id” field may indicate the attempt to impersonate an existing user’s application session.
[Medium] SSH IP pinning bypass
When issuing a user certificate, Teleport did not check for the presence of IP restrictions in the client’s credentials. This could allow an attacker in possession of valid client credentials with IP restrictions to reissue credentials without IP restrictions. Presence of a “cert.create” audit event (code TC000I) without corresponding “user.login” audit event (codes T1000I or T1101I) for users with IP restricted roles may indicate an issuance of a certificate without IP restrictions.
[Low] Web API session caching
After logging out via the web UI, a user’s session could remain cached in Teleport’s proxy, allowing continued access to resources for a limited time window.
Other improvements and bugfixes
You can find more information on this release in the Teleport changelog.