<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Fleet - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/fleet/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 26 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/fleet/feed.xml" rel="self" type="application/rss+xml"/><item><title>Orbit Agent Local Privilege Escalation via Tcl Command Injection</title><link>https://feed.craftedsignal.io/briefs/2024-01-26-orbit-lpe/</link><pubDate>Fri, 26 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-26-orbit-lpe/</guid><description>The Orbit agent is vulnerable to local privilege escalation due to Tcl command injection, where a crafted password containing '}' can inject arbitrary Tcl commands and allow an unprivileged local user to execute commands as root.</description><content:encoded><![CDATA[<p>The Orbit agent, specifically versions prior to 4.81.1 of <code>go/github.com/fleetdm/fleet/v4</code>, contains a local privilege escalation vulnerability related to FileVault disk encryption key rotation on macOS. The agent collects a local user's password via a GUI dialog and directly interpolates it into a Tcl/expect script executed as root. A flaw exists in how the password is handled within the Tcl script. If a password contains a '}' character, it terminates the intended literal string and allows the injection of arbitrary Tcl commands. This allows a local unprivileged user to escalate their privileges to root. This vulnerability, identified as CVE-2026-27806, poses a significant risk to organizations using affected versions of the Orbit agent as any local user can gain full control of the system.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>User initiates FileVault disk encryption key rotation via Orbit agent.</li>
<li>Orbit agent prompts the user for their password through a GUI dialog.</li>
<li>User enters a password containing the '}' character, crafting a Tcl injection payload.</li>
<li>Orbit agent constructs a Tcl/expect script, interpolating the malicious password string into the script.</li>
<li>The agent executes the script as root using <code>exec.Command(&quot;expect&quot;, &quot;-c&quot;, script)</code>.</li>
<li>The '}' character in the password terminates the literal string within the Tcl script, injecting arbitrary Tcl commands.</li>
<li>The injected Tcl commands are executed with root privileges.</li>
<li>The attacker gains root access and can perform any action on the system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows any unprivileged local user to gain root access on a macOS system running a vulnerable version of the Orbit agent. This could lead to complete system compromise, including data theft, modification, or destruction, and installation of malware. The vulnerability impacts all organizations using the affected Orbit agent versions, and could affect hundreds or thousands of endpoints if widely deployed.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the Orbit agent to version 4.81.1 or later to patch CVE-2026-27806.</li>
<li>Deploy the Sigma rule &quot;Detect Tcl Execution via Expect with Command Injection&quot; to identify potential exploitation attempts in your environment.</li>
<li>Monitor process creation events for the execution of <code>expect</code> with unusual command-line arguments, indicative of Tcl injection, using the Sigma rule &quot;Detect Expect Process with Suspicious Arguments&quot;.</li>
<li>Implement restrictions on local user access to prevent unauthorized access and potential exploitation of the vulnerability.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>privilege-escalation</category><category>tcl-injection</category><category>macos</category></item></channel></rss>