Fleet Debug Endpoint Access Control Vulnerability

A broken access control vulnerability has been identified in Fleet, an open-source device management software. This issue affects versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3. The vulnerability allows authenticated users to access debug and profiling endpoints without regard for their role. Consequently, low-privilege users can view sensitive internal server diagnostics and initiate resource-heavy profiling tasks. The debug/pprof endpoints can be accessed by any authenticated user, including those with the 'Observer' role, leading to potential denial-of-service conditions.

Impact

Exploitation of this vulnerability allows low-privilege users to access sensitive server internals, such as runtime profiling data and in-memory application state. Additionally, it enables the triggering of CPU-intensive profiling operations that could cause a denial-of-service.

Remediation

Users can upgrade to Fleet versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, or 4.53.3 to address this vulnerability. If an immediate upgrade is not possible, the debug/pprof endpoints can be placed behind an IP allowlist as a temporary workaround.