Fleet Orbit Agent Local Privilege Escalation Vulnerability via Tcl Command Injection

A local privilege escalation vulnerability has been identified in the Fleet device management software, specifically in versions prior to 4.81.1. The issue arises in the Orbit agent's FileVault disk encryption key rotation process, which collects a user's password through a GUI dialog. This password is then directly inserted into a Tcl/expect script executed via 'exec.Command("expect", "-c", script)'. The interpolation method used allows for the injection of arbitrary Tcl commands, as the password can terminate the expected literal and execute unintended commands. Since the Orbit agent runs with root privileges, this vulnerability enables an unprivileged local user to gain root access.

Impact

Exploitation of this vulnerability allows any unprivileged local user on a managed endpoint to execute arbitrary commands with root privileges, effectively escalating their access rights to the highest level.

Remediation

Users can upgrade to Fleet version 4.81.1 or later to address this vulnerability.