Fleet Windows MDM Enrollment JWT Signature Bypass Vulnerability Allowing Unauthorized Device Enrollment

A vulnerability exists in Fleet's Windows Mobile Device Management (MDM) enrollment process, specifically in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3. The issue arises because JSON Web Token (JWT) signatures were not properly validated, allowing attackers to submit forged authentication tokens with arbitrary identity claims. This flaw could enable the enrollment of unauthorized devices under any Azure Active Directory (AD) user identity.

Impact

Exploitation of this vulnerability allows for the enrollment of unauthorized devices in Fleet's MDM system, under any Azure AD user identity, due to the acceptance of unverified JWT claims.

Reproduction

The vulnerability can be reproduced by enrolling a Windows device through the Azure AD MDM process, using a forged JWT that claims to be from Azure AD but has not been properly signed or verified. This can be done by manipulating the authentication token to include false identity claims, which Fleet will accept without validation.

Remediation

Users of affected Fleet versions should upgrade to 4.78.3, 4.77.1, 4.76.2, 4.75.2, or 4.53.3. If an immediate upgrade is not possible, Windows MDM should be temporarily disabled.