Fleet Denial-of-Service Vulnerability in gRPC Launcher PublishLogs Endpoint

A denial-of-service vulnerability has been identified in Fleet device management software, prior to version 4.81.0. The issue resides in the gRPC Launcher 'PublishLogs' endpoint, where certain unexpected input values can cause the Fleet server process to crash. This occurs while processing an authenticated request from an enrolled Launcher host. An authenticated attacker with access to any enrolled Launcher node key can exploit this vulnerability by sending a single gRPC request to the 'PublishLogs' endpoint, leading to an immediate and complete denial of service.

Impact

Exploitation of this vulnerability causes the Fleet server process to terminate unexpectedly, disrupting service availability. This issue does not involve the exposure of sensitive data, authentication bypass, privilege escalation, or integrity impact.

Remediation

Users can upgrade to Fleet version 4.81.0 or later, which includes the patch for this vulnerability. If an immediate upgrade is not possible, network access to the Fleet gRPC endpoint can be restricted, deployed behind infrastructure that filters gRPC traffic if Launcher log ingestion is not needed, and monitor for signs of exploitation such as repeated process crashes or unexpected restarts.