Fleet Unauthenticated Denial-of-Service Vulnerability via Unbounded Request Body Read

A denial-of-service vulnerability has been identified in Fleet device management software, affecting versions prior to 4.81.0. The issue arises from multiple unauthenticated HTTP endpoints that read request bodies without enforcing a size limit. This lack of restriction allows an unauthenticated attacker to send large or repeated HTTP payloads, causing excessive memory allocation and leading to a denial-of-service condition by exhausting available memory and forcing the Fleet server process to restart.

Impact

Exploitation of this vulnerability causes the Fleet server process to run out of available memory and restart, disrupting service availability.

Remediation

Users can upgrade to Fleet version 4.81.0 or later to address this vulnerability. If an immediate upgrade is not possible, request body size limits can be applied at a reverse proxy or load balancer, such as NGINX or Envoy. Additionally, network access to the affected endpoints can be restricted to known IP ranges where feasible, and memory usage and restart frequency can be monitored for abnormal patterns.