{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/fleet/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Orbit agent"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","tcl-injection","macos"],"_cs_type":"advisory","_cs_vendors":["Fleet"],"content_html":"\u003cp\u003eThe Orbit agent, specifically versions prior to 4.81.1 of \u003ccode\u003ego/github.com/fleetdm/fleet/v4\u003c/code\u003e, contains a local privilege escalation vulnerability related to FileVault disk encryption key rotation on macOS. The agent collects a local user's password via a GUI dialog and directly interpolates it into a Tcl/expect script executed as root. A flaw exists in how the password is handled within the Tcl script. If a password contains a '}' character, it terminates the intended literal string and allows the injection of arbitrary Tcl commands. This allows a local unprivileged user to escalate their privileges to root. This vulnerability, identified as CVE-2026-27806, poses a significant risk to organizations using affected versions of the Orbit agent as any local user can gain full control of the system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser initiates FileVault disk encryption key rotation via Orbit agent.\u003c/li\u003e\n\u003cli\u003eOrbit agent prompts the user for their password through a GUI dialog.\u003c/li\u003e\n\u003cli\u003eUser enters a password containing the '}' character, crafting a Tcl injection payload.\u003c/li\u003e\n\u003cli\u003eOrbit agent constructs a Tcl/expect script, interpolating the malicious password string into the script.\u003c/li\u003e\n\u003cli\u003eThe agent executes the script as root using \u003ccode\u003eexec.Command(\u0026quot;expect\u0026quot;, \u0026quot;-c\u0026quot;, script)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe '}' character in the password terminates the literal string within the Tcl script, injecting arbitrary Tcl commands.\u003c/li\u003e\n\u003cli\u003eThe injected Tcl commands are executed with root privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker gains root access and can perform any action on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows any unprivileged local user to gain root access on a macOS system running a vulnerable version of the Orbit agent. This could lead to complete system compromise, including data theft, modification, or destruction, and installation of malware. The vulnerability impacts all organizations using the affected Orbit agent versions, and could affect hundreds or thousands of endpoints if widely deployed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Orbit agent to version 4.81.1 or later to patch CVE-2026-27806.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Tcl Execution via Expect with Command Injection\u0026quot; to identify potential exploitation attempts in your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the execution of \u003ccode\u003eexpect\u003c/code\u003e with unusual command-line arguments, indicative of Tcl injection, using the Sigma rule \u0026quot;Detect Expect Process with Suspicious Arguments\u0026quot;.\u003c/li\u003e\n\u003cli\u003eImplement restrictions on local user access to prevent unauthorized access and potential exploitation of the vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-26-orbit-lpe/","summary":"The Orbit agent is vulnerable to local privilege escalation due to Tcl command injection, where a crafted password containing '}' can inject arbitrary Tcl commands and allow an unprivileged local user to execute commands as root.","title":"Orbit Agent Local Privilege Escalation via Tcl Command Injection","url":"https://feed.craftedsignal.io/briefs/2024-01-26-orbit-lpe/"}],"language":"en","title":"CraftedSignal Threat Feed - Fleet","version":"https://jsonfeed.org/version/1.1"}