Skip to content

Improper Authorization and Missing Authorization and Improper Access Control in github.com/fleetdm/fleet

Moderate
zwass published GHSA-pr2g-j78h-84cr Apr 18, 2022

Package

gomod github.com/fleetdm/fleet (Go)

Affected versions

<4.13

Patched versions

4.13

Description

Lares identified post-authentication authorization issues on Fleet 4.12.1 during a penetration testing engagement.

We will post the full report as soon as we have addressed the remaining, less impactful issues.

This advisory covers the most impactful issues discovered through this test, all related to authorization in the teams feature of Fleet. Exploiting these issues requires valid Fleet credentials.

With the full report, we will disclose our plans for additional automated and manual testing to prevent these issues from occurring again.

We will also update the product documentation with more granular role and permission information so the expected behavior for all these cases is explicit.

Affects

Fleet Premium 4.12.1 and older if teams users are in use. The free version of Fleet does not support teams and is unaffected.

Version Configuration Impacted
<4.13 Teams used, team admins used Yes
<4.13 Teams used, team observers and maintainers used Partially
<4.13 Teams used, only global accounts used No

Fleet instances without teams, or with teams but without restricted team accounts are not affected.
The most impactful part of this issue, listed first in the Impact section, requires team admins to be in use to be exploited.

Impact

A team admin can add themselves as admin, maintainer or observer on other teams.

In 4.13, this is no longer possible.

Team maintainers can list all users.

In 4.13, only global admins can list all users. We will add back the ability to do so for team administrators in a future release.

Team maintainers can list all query packs.

In 4.13, only global admins and global maintainers should be able to list all query packs.

Team observers, maintainers, and admins can list all activities.

In 4.13, only global users can view global activities.

Team observers, maintainers, and admins can list software for the entire instance.

In 4.13, only global users can list global software, and team users can list team software.

We fixed these issues through a private fork, which was then committed to the main Fleet branch. (LINK TO COMMIT WILL BE HERE ONCE PUBLISHED)

Patches

Fleet 4.13

Workarounds

If not using team access, this issue is not exploitable.
If not using team admins, the first part of the issue A team admin can add themselves as admin, maintainer, or observer on other teams is not exploitable.

Detection

  • Review team memberships to ensure only authorized users are present.

Other issues granted read access to limited data.

Retesting

4.13 has been tested internally for these issues, and will be retested externally. We are releasing this advisory and update before retesting has occurred as we are confident we have addressed the issues properly and want to provide the fix as soon as possible. Retesting results will be made available with the next scheduled Fleet release at the latest.

For more information

If you have any questions or comments about this advisory:

join us in the #fleet channel of osquery Slack.
Email us at security@fleetdm.com.

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2022-24841

Credits