Fleet Command Injection Vulnerability Allowing Arbitrary Code Execution

A command injection vulnerability has been identified in Fleet's software installer pipeline, prior to version 4.81.1. This vulnerability allows an attacker to execute arbitrary code as root on macOS and Linux, or as SYSTEM on Windows, on managed hosts. The issue arises when an uninstall is triggered for a crafted software package. The vulnerability exploits the fact that metadata from uploaded packages is extracted and interpolated into automatically generated uninstall scripts without proper sanitization. An attacker could potentially embed a malicious payload in the package metadata, which would be executed during the uninstallation process.

Impact

Exploitation of this vulnerability could lead to unauthorized arbitrary code execution on managed hosts, with elevated privileges. On macOS and Linux, the code would be executed as root, while on Windows, it would run as the SYSTEM user.

Remediation

Users are advised to upgrade to Fleet version 4.81.1 or later. Administrators should only upload software packages from trusted sources and review package metadata before uploading. If an immediate upgrade is not possible, manually inspect and edit the auto-generated uninstall scripts before deployment.