Incident Response to September 20th 2021

Patches were applied to address this vulnerability on June 18, 2021, and September 20, 2021. The attacker has generated an identity collision with an attacking address. The attacking address must be authorized to the victim's network. The victim does not have the real identity of the attacking address cached. To demonstrate the attack, Pulse Security generated two arbitrary colliding identities and pre-seeded an environment. Attacking a live target would have been considerably more expensive but not outside the reach of a well resourced attacker. Implemented a mitigation in the ZeroTier core to render this attack impossible even in the presence of a colliding address or improperly configured roots.