+7Has anyone heard of this vulnerability? I find it strange that on the GitHub link the screenshot from Self Service is a very old version from what I can see.
https://nvd.nist.gov/vuln/detail/CVE-2019-9146
https://github.com/PAGalaxyLab/VulInfo/blob/master/JAMF/JAMF%20software%20%20local%20permission%20promotion%20vulnerability.md
My main concern is: has it been fixed in 10.10? Not seeing any confirmation in 10.10 or 10.10.1 release notes.
+18Is the reference to the "publish Bash shell scripts feature" simply about Self Service executing a script?
+24The Github page on this vuln is very poorly written, but what I can gather from it is that it's saying that, using the proper tools, it's possible to gain a root shell by intercepting the Jamf commands during a Self Service policy run. From the screenshots, it looks like at the end they are running Terminal in a root shell, presumably even if they are not an administrator on the Mac, but I don't know that last part for sure since it doesn't specifically say that. I only make that assumption because an admin gaining a root shell on macOS is trivial, so that would not be a real vulnerability.
+7I've opened a support case with Support for their Security Team to look into this and provide info on what we can do to secure Self Service. Perhaps they can also reply here and provide Jamf's official recommendations on what to do.
+16I opened a support case yesterday also, since our InfoSec and audit teams give us a limited window to remediate disclosed vulnerabilities, based on the CVSS. When I logged in today to check the status, the case is gone: no longer in my active cases, and not listed in my inactive ones. I'll open a new ticket shortly; hopefully it is not removed as well.
It sure would be great to receive a response from Jamf either via this thread or our support ticket(s). Even if this is of fairly limited impact now, a high CVSS is going to gain some visibility eventually.
+10We are aware of this issue. It was reported as a 10.9 vulnerability, but clearly shows the 2016 version 9.101.4 of Jamf Pro being used. We would contest both the description and the scoring, as it suggests no privilege is needed on the local host to execute. To use this exploit to gain privilege on a local machine, you either need admin privilege on that machine to start or a broad network compromise. We will continue to track this issue, and are working with the National Vulnerability Database to have this CVE reviewed.
Aaron Kiemele
CISO
Jamf
+17I agree that this seems like a bogus CVE. According to its own instructions, you need to edit the network settings on the computer to begin to use this exploit, which requires admin rights in most realistic circumstances.
+18In the Github repo, there's a screenshot of them doing the same with a 10.x client
https://github.com/PAGalaxyLab/VulInfo/blob/master/JAMF/JAMF%20software%20local%20permission%20promotion%20vulnerability%232.md
What it looks like is "create a package", use burp to intercept package and inject your own package and then that'll run terminal.
I can see how this works but if you're crc checking your packages it would fail.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
