Lares identified post-authentication authorization issues on Fleet 4.12.1 during a penetration testing engagement.
We will post the full report as soon as we have addressed the remaining, less impactful issues.
This advisory covers the most impactful issues discovered through this test, all related to authorization in the teams feature of Fleet. Exploiting these issues requires valid Fleet credentials.
With the full report, we will disclose our plans for additional automated and manual testing to prevent these issues from occurring again.
We will also update the product documentation with more granular role and permission information so the expected behavior for all these cases is explicit.
Affects
Fleet Premium 4.12.1 and older if teams users are in use. The free version of Fleet does not support teams and is unaffected.
Version |
Configuration |
Impacted |
<4.13 |
Teams used, team admins used |
Yes |
<4.13 |
Teams used, team observers and maintainers used |
Partially |
<4.13 |
Teams used, only global accounts used |
No |
Fleet instances without teams, or with teams but without restricted team accounts are not affected.
The most impactful part of this issue, listed first in the Impact section, requires team admins to be in use to be exploited.
Impact
A team admin can add themselves as admin, maintainer or observer on other teams.
In 4.13, this is no longer possible.
Team maintainers can list all users.
In 4.13, only global admins can list all users. We will add back the ability to do so for team administrators in a future release.
Team maintainers can list all query packs.
In 4.13, only global admins and global maintainers should be able to list all query packs.
Team observers, maintainers, and admins can list all activities.
In 4.13, only global users can view global activities.
Team observers, maintainers, and admins can list software for the entire instance.
In 4.13, only global users can list global software, and team users can list team software.
We fixed these issues through a private fork, which was then committed to the main Fleet branch. (LINK TO COMMIT WILL BE HERE ONCE PUBLISHED)
Patches
Fleet 4.13
Workarounds
If not using team access, this issue is not exploitable.
If not using team admins, the first part of the issue A team admin can add themselves as admin, maintainer, or observer on other teams is not exploitable.
Detection
- Review team memberships to ensure only authorized users are present.
Other issues granted read access to limited data.
Retesting
4.13 has been tested internally for these issues, and will be retested externally. We are releasing this advisory and update before retesting has occurred as we are confident we have addressed the issues properly and want to provide the fix as soon as possible. Retesting results will be made available with the next scheduled Fleet release at the latest.
For more information
If you have any questions or comments about this advisory:
join us in the #fleet channel of osquery Slack.
Email us at [email protected].
Lares identified post-authentication authorization issues on Fleet 4.12.1 during a penetration testing engagement.
We will post the full report as soon as we have addressed the remaining, less impactful issues.
This advisory covers the most impactful issues discovered through this test, all related to authorization in the teams feature of Fleet. Exploiting these issues requires valid Fleet credentials.
With the full report, we will disclose our plans for additional automated and manual testing to prevent these issues from occurring again.
We will also update the product documentation with more granular role and permission information so the expected behavior for all these cases is explicit.
Affects
Fleet Premium 4.12.1 and older if teams users are in use. The free version of Fleet does not support teams and is unaffected.
Fleet instances without teams, or with teams but without restricted team accounts are not affected.
The most impactful part of this issue, listed first in the Impact section, requires team admins to be in use to be exploited.
Impact
A team admin can add themselves as admin, maintainer or observer on other teams.
In 4.13, this is no longer possible.
Team maintainers can list all users.
In 4.13, only global admins can list all users. We will add back the ability to do so for team administrators in a future release.
Team maintainers can list all query packs.
In 4.13, only global admins and global maintainers should be able to list all query packs.
Team observers, maintainers, and admins can list all activities.
In 4.13, only global users can view global activities.
Team observers, maintainers, and admins can list software for the entire instance.
In 4.13, only global users can list global software, and team users can list team software.
We fixed these issues through a private fork, which was then committed to the main Fleet branch. (LINK TO COMMIT WILL BE HERE ONCE PUBLISHED)
Patches
Fleet 4.13
Workarounds
If not using team access, this issue is not exploitable.
If not using team admins, the first part of the issue A team admin can add themselves as admin, maintainer, or observer on other teams is not exploitable.
Detection
Other issues granted read access to limited data.
Retesting
4.13 has been tested internally for these issues, and will be retested externally. We are releasing this advisory and update before retesting has occurred as we are confident we have addressed the issues properly and want to provide the fix as soon as possible. Retesting results will be made available with the next scheduled Fleet release at the latest.
For more information
If you have any questions or comments about this advisory:
join us in the #fleet channel of osquery Slack.
Email us at [email protected].