Posted on 03-04-2019 10:35 AM
Has anyone heard of this vulnerability? I find it strange that on the GitHub link the screenshot from Self Service is a very old version from what I can see.
https://nvd.nist.gov/vuln/detail/CVE-2019-9146
https://github.com/PAGalaxyLab/VulInfo/blob/master/JAMF/JAMF%20software%20%20local%20permission%20promotion%20vulnerability.md
My main concern is: has it been fixed in 10.10? Not seeing any confirmation in 10.10 or 10.10.1 release notes.
Posted on 03-04-2019 11:10 AM
Hello JAMF support could you please give us update about this CVE-2019-9146 ASAP?
Posted on 03-04-2019 11:50 AM
Is the reference to the "publish Bash shell scripts feature" simply about Self Service executing a script?
Posted on 03-04-2019 12:42 PM
Not sure, I just have those two links.
Posted on 03-04-2019 12:55 PM
The Github page on this vuln is very poorly written, but what I can gather from it is that it's saying that, using the proper tools, it's possible to gain a root shell by intercepting the Jamf commands during a Self Service policy run. From the screenshots, it looks like at the end they are running Terminal in a root shell, presumably even if they are not an administrator on the Mac, but I don't know that last part for sure since it doesn't specifically say that. I only make that assumption because an admin gaining a root shell on macOS is trivial, so that would not be a real vulnerability.
Posted on 03-04-2019 01:13 PM
I've opened a support case with Support for their Security Team to look into this and provide info on what we can do to secure Self Service. Perhaps they can also reply here and provide Jamf's official recommendations on what to do.
Posted on 03-05-2019 06:53 AM
I opened a support case yesterday also, since our InfoSec and audit teams give us a limited window to remediate disclosed vulnerabilities, based on the CVSS. When I logged in today to check the status, the case is gone: no longer in my active cases, and not listed in my inactive ones. I'll open a new ticket shortly; hopefully it is not removed as well.
It sure would be great to receive a response from Jamf either via this thread or our support ticket(s). Even if this is of fairly limited impact now, a high CVSS is going to gain some visibility eventually.
Posted on 03-05-2019 07:41 AM
We are aware of this issue. It was reported as a 10.9 vulnerability, but clearly shows the 2016 version 9.101.4 of Jamf Pro being used. We would contest both the description and the scoring, as it suggests no privilege is needed on the local host to execute. To use this exploit to gain privilege on a local machine, you either need admin privilege on that machine to start or a broad network compromise. We will continue to track this issue, and are working with the National Vulnerability Database to have this CVE reviewed.
Aaron Kiemele
CISO
Jamf
Posted on 03-05-2019 08:17 AM
I agree that this seems like a bogus CVE. According to its own instructions, you need to edit the network settings on the computer to begin to use this exploit, which requires admin rights in most realistic circumstances.
Posted on 03-05-2019 11:09 AM
In the Github repo, there's a screenshot of them doing the same with a 10.x client
https://github.com/PAGalaxyLab/VulInfo/blob/master/JAMF/JAMF%20software%20local%20permission%20promotion%20vulnerability%232.md
What it looks like is "create a package", use burp to intercept package and inject your own package and then that'll run terminal.
I can see how this works but if you're crc checking your packages it would fail.
Posted on 03-06-2019 03:39 AM
You have to be an admin to install the root cert & set the proxy settings to perform the MITM...
So the issue becomes "Admin can run scripts with elevated privileges..."
I'm more annoyed with MITRE & their lack of due diligence in assigning this a CVE tbh, than anything else..