2.6 KiB
Penetration testing of Fleet (April 2022)
We have recently had Lares perform penetration testing on our internal instance of Fleet. Lares performed the last test on 4.12. This test unveiled some authorization issues identified in this advisory and resolved in 4.13.
As promised when we published the Orbit audit and said we’d post other audit and pentest reports, we are now publishing the full report. We resolved the most critical issues in 4.13, and we continue to track and prioritize the others.
Small redacted sections are present in the PDF as we are hiding some internal email addresses to save ourselves from receiving more spam.
You can find the full report here: 2022-04-29-fleet-penetration-test.pdf.
You can see all publicly available security audits and penetration testing reports in the Fleet documentation, including what we intend to do about the remaining issues.
The GitHub issues that relate to this test are:
Security advisory fixed in Fleet 4.13
Add manual and automated test cases for authorization #5457
Evaluate current CSV escaping and feasibility of adding if missing #5460
Increase length of login throttling delay from 4 to 10 seconds #5464
Set session duration to total session length #5476
Increase default minimum password length to 12 #5477
Add basic auth to /metrics endpoint #2322
Ensure only team admins can list other users #5657
You can also view them on the remediation board.
If you have questions about this test or Fleet security, please join us on Slack!