Fleet Windows MDM Azure AD JWT Authentication Bypass Vulnerability

A vulnerability exists in Fleet's Windows Mobile Device Management (MDM) enrollment process, allowing authentication tokens from any Azure Active Directory (AD) tenant to be accepted. This issue arises because Fleet verifies JSON Web Token (JWT) signatures using Microsoft's multi-tenant JSON Web Key Set (JWKS) endpoint but fails to enforce the 'aud' (audience) or 'iss' (issuer) claims. As a result, any Microsoft-signed Azure AD access token with the required scopes can authenticate to Fleet's MDM endpoints. If Windows MDM is enabled, an attacker with access to any Azure AD tenant can acquire a valid Microsoft-signed token to enroll unauthorized devices and access Fleet's MDM management APIs. During this process, sensitive enrollment secrets may be revealed within MDM command payloads, potentially leading to further unauthorized access.

Impact

Exploitation of this vulnerability allows unauthorized enrollment of devices via Windows MDM, with access to Fleet's MDM management APIs. This could result in exposure of sensitive enrollment secrets, embedded in MDM command payloads, facilitating additional unauthorized access.

Remediation

Users can upgrade to Fleet version 4.82.0 or later. If an immediate upgrade is not feasible, Windows MDM can be temporarily disabled.