Headline
CVE-2022-24841: Build software better, together
fleetdm/fleet is an open source device management, built on osquery. All versions of fleet making use of the teams feature are affected by this authorization bypass issue. Fleet instances without teams, or with teams but without restricted team accounts are not affected. In affected versions a team admin can erroneously add themselves as admin, maintainer or observer on other teams. Users are advised to upgrade to version 4.13. There are no known workarounds for this issue.
Lares identified post-authentication authorization issues on Fleet 4.12.1 during a penetration testing engagement.
We will post the full report as soon as we have addressed the remaining, less impactful issues.
This advisory covers the most impactful issues discovered through this test, all related to authorization in the teams feature of Fleet. Exploiting these issues requires valid Fleet credentials.
With the full report, we will disclose our plans for additional automated and manual testing to prevent these issues from occurring again.
We will also update the product documentation with more granular role and permission information so the expected behavior for all these cases is explicit.
Affects
Fleet Premium 4.12.1 and older if teams users are in use. The free version of Fleet does not support teams and is unaffected.
Version
Configuration
Impacted
<4.13
Teams used, team admins used
Yes
<4.13
Teams used, team observers and maintainers used
Partially
<4.13
Teams used, only global accounts used
No
Fleet instances without teams, or with teams but without restricted team accounts are not affected.
The most impactful part of this issue, listed first in the Impact section, requires team admins to be in use to be exploited.
Impact****A team admin can add themselves as admin, maintainer or observer on other teams.
In 4.13, this is no longer possible.
Team maintainers can list all users.
In 4.13, only global admins can list all users. We will add back the ability to do so for team administrators in a future release.
Team maintainers can list all query packs.
In 4.13, only global admins and global maintainers should be able to list all query packs.
Team observers, maintainers, and admins can list all activities.
In 4.13, only global users can view global activities.
Team observers, maintainers, and admins can list software for the entire instance.
In 4.13, only global users can list global software, and team users can list team software.
We fixed these issues through a private fork, which was then committed to the main Fleet branch. (LINK TO COMMIT WILL BE HERE ONCE PUBLISHED)
Patches
Fleet 4.13
Workarounds
If not using team access, this issue is not exploitable.
If not using team admins, the first part of the issue A team admin can add themselves as admin, maintainer, or observer on other teams is not exploitable.
Detection
- Review team memberships to ensure only authorized users are present.
Other issues granted read access to limited data.
Retesting
4.13 has been tested internally for these issues, and will be retested externally. We are releasing this advisory and update before retesting has occurred as we are confident we have addressed the issues properly and want to provide the fix as soon as possible. Retesting results will be made available with the next scheduled Fleet release at the latest.
For more information
If you have any questions or comments about this advisory:
join us in the #fleet channel of osquery Slack.
Email us at [email protected].
Related news
PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In versions prior to 1.27.5 an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if the PyPDF2 if the code attempts to get the content stream. The reason is that the last while-loop in `ContentStream._readInlineImage` only terminates when it finds the `EI` token, but never actually checks if the stream has already ended. This issue has been resolved in version `1.27.5`. Users unable to upgrade should validate and PDFs prior to iterating over their content stream.
The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent (mainly XSS, but depending on further use of uploaded SVG files potentially other XML attacks).
A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.