Tool Review: Tailsnitch

https://isc.sans.edu/diary/Tool%20Review%3A%20Tailsnitch/32602

https://www.vulncheck.com/advisories/dlink-dsl-command-injection-via-dns-configuration-endpoint

https://kb.cert.org/vuls/id/295169

SANS Stormcast – Wednesday, January 7 2026

Handler on Duty: Guy Bruneau

---

Tool Review: Tailsnitch

Tailsnitch is a tool to audit your Tailscale configuration. It performs a comprehensive analysis of your configuration and can suggest (or even apply) fixes.

Tool Review: Tailsnitch – SANS Diary

---

D‑Link DSL Command Injection via DNS Configuration Endpoint

A new vulnerability in very old D‑Link DSL modems is currently being exploited.

Details – VulnCheck advisory

---

TOTOLINK EX200 Firmware‑Upload Error Handling

TOTOLINK extenders may start a telnet server and allow unauthenticated access if a firmware update fails.

Details – CERT Vulnerability Note VU#295169

---

Podcast Transcript

Hello and welcome to the Wednesday, January 7th, 2026 edition of the SANS Internet Storm Center's Stormcast. My name is Johannes Ullrich, recording today from Jacksonville, Florida. And this episode is brought to you by the SANS.edu Master's Degree Program in Information Security Engineering.



Yesterday, I briefly mentioned the tool TailSnitch. I just got across it yesterday and I thought it was interesting in particular, since yesterday I talked sort of about KVMs, the remote access that often uses TailScale VPNs. Well, today I took a little bit time to closer look at TailSnitch and it's a pretty impressive and useful tool.



So the goal of TailSnitch is to audit your TailScale configuration. TailScale itself, it's a pretty solid system as far as VPNs go, but of course a lot of it also depends on how you configure it. And TailSnitch will point out some of the possible misconfigurations that you're running into. And yes, it does this very well. It's very comprehensive, the tool. In my case, it found two systems that I had that had an old version of TailScale running. So basically, auto update wasn't configured correctly. Fix that and that's something nice to point out.



It also points out things like, for example, access tokens that you issued and set to not expire. In my case, I intentionally did it that way. Overall, what I also find is that the severity levels it assigns, I think, are rather reasonable. A lot of tools like this tend to sort of, you know, a little bit overhype kind of some of the configuration issues that they're detecting. I haven't really seen this so far here in TailSnitch.



It's also easy to install the tool. It comes as a binary, but you can also create it from source. It's written in Go. It's open source and free. And yes, certainly valuable if you're running TailScale to occasionally use this tool.



There are two modes you can run it in. You can run it sort of in a detection only mode. And that's what I did. In this case, it only needs read access to your configuration. There is an automatic fix option that I didn't play with. I was a little bit too scared for it to sort of mess up my network. But for a smaller network, I don't think that's necessary really to use the automatic fix option. It's probably better just not a couple issues it finds to manually address them.



And then we do have a new vulnerability in very old equipment. Dealing DSL modems, some of them haven't been supported since 2013. This new vulnerability in those modems is now being exploited. The target here is the DNS configuration script, dnscfg.cgi. This has been a target of prior attacks. I looked through our database and we did have plenty of attacks going back sort of until the 2010s that tried to change the DNS configuration. This was a known issue where basically changing DNS configuration did not require authentication. That has been fixed. However, these new flaws, of course, given how old these devices are, will not be fixed. These are code‑execution vulnerabilities. Very classic problem here where you have these scripts that update configuration files. If you aren't careful, that can lead to OS command injection and command execution on the vulnerable device. This is certainly one of those things where you must replace the device. Given how old they are, I'm surprised they're still around. They're still working. If you really love the device for some of them, you can actually get OpenWrt and install an up‑to‑date firmware on the device.



Talking about end‑of‑life devices with new vulnerabilities, the next one we have here is TOTOLink EX200 extender. This particular device suffers from an interesting vulnerability where an interrupted firmware update may actually trigger a Telnet server being started without authentication. I can see this sort of as a fail‑safe feature where in case your firmware update fails, it starts up that Telnet server to allow you to fix any problems. It's not clear how easily this particular behavior is triggered inadvertently. But certainly one of those things that you want to check is, “Hey, is there a Telnet server running on my devices?” A simple port scan of your network probably will tell you that pretty easily.



No patches are available for this. It doesn't appear that these devices are actually officially end‑of‑life. However, the last update released was in 2023, so with that, two‑plus years ago, I would probably call this device end‑of‑life at this point.



Well, and this is it for today. So thanks for listening and thanks for liking. Thanks for subscribing. Remember, I do have that challenge: if you find mistakes in the podcast, let me know and I'll send you a sticker. So thanks and talk to you again tomorrow. Bye.

---

© 2026 SANS™ Internet Storm Center – Content licensed under CC BY‑NC‑SA 4.0