Tailscale version vulnerable?

InvisaGig Technical Support
1

Also, after connecting my InvisaGig to tailscale, I see:
OS Linux (5.4.180-perf)
Tailscale version 1.86.2
with an indicator that 1.86.2 has a security vulnerability and that **it should be updated to 1.96.4.
**
Is there any plan to get this updated? Can it potentially be done through ssh by hand?

2

Hi @MagicMan,
Thank you for raising this question as it is relevant for other IG owners who utilize the Tailscale functionality as well. While the base 1.86.2 client is affected by Tailscale Security Bulletins TS-2025-008, TS-2025-007, TS-2025-006, TS-2025-005, TS-2026-001, & TS-2026-002, the reality is that most of these do not apply to the IG implementation at all or otherwise cannot be exploited due to our hardening of the client functionality. I have summarized why IG is unaffected by each vulnerability below:

  • TS-2025-005
    • Only affects macOS/iOS client configurations distributed by MDM. IG does not run on these operating systems.
  • TS-2025-006
    • Only affects subnet routers and Tailscale already remediated the issue on the server side (control plane). Additionally, IG does not enable subnet router functionality.
  • TS-2025-007
    • Only affects one-off auth keys applied through automation and Tailscale already remediated the issue on the coordination server side. Additionally, IG does not use such keys.
  • TS-2025-008
    • Only affects Tailnet Lock when clients are running without a state directory and at least one node is unsigned. IG does not enable Tailnet Lock functionality and utilizes a state file/directory.
  • TS-2026-001
    • Only affects macOS clients with the ‘tssentineld’ launchd daemon. IG does not contain this binary.
  • TS-2026-002
    • Only affects clients running the web interface persistently. IG only exposes this interface during initial client registration; it is then killed and never launched again, leaving no possible attack surface.

Of course, we plan to update the Tailscale client to the latest available base version as part of the next IG software update. Our custom Tailscale client implementation is hardened as mentioned in the points above precisely to protect against any vulnerabilities found in the base client by the cybersecurity community between IG version releases. We fully test all new client builds with our software on the actual device before we distribute it to our user base to ensure stability and compatibility. This is why we do not offer a way to update Tailscale separately at this time.

In the future it is possible we may modularize the Tailscale client to be updated separately for our Beta test and power users but this is not implemented currently. If we do introduce this ability, the Tailscale client would still be updated through the IG device’s native management interface.

2 Likes