Jamfing for Joy: Attacking macOS in Enterprise

bpavlov
Honored Contributor

https://labs.f-secure.com/blog/jamfing-for-joy-attacking-macos-in-enterprise/

Just a small portion of the blog post by F-Secure which talks about the popular workaround that Jamf admins use to obscure passwords: https://github.com/jamf/Encrypted-Script-Parameters

The other case we commonly find is credentials passed into the script as arguments. In the JSS this looks something like this. Whilst these credentials don’t get written to disk, if we look at the process listings when a script is executing, we observe something similar to this. This is great news for us! The arguments are passed to the script like any other program, which means we can read them straight out of the process listings. Even better, we’re able to pull this information from a low privilege account, as even a low privilege account can see the processes and arguments of processes executing as root using the utility ps. We’ve seen local administrator credentials passed to devices in this way, so in the right environment this could serve as a handy privesc. ..... We wanted to give a special nod to the final case we’ve observed in the wild. In this variant, we can see encrypted versions of the credentials stored in the arguments, and all the necessary information to decrypt the credential in the body of the script itself. We’ve seen two reasons that organisations are doing this. Firstly, this prevents everyone with access to the JSS from being able to view (potentially privileged) plaintext credentials. Alternatively, this prevents a SIEM collecting process logs from recording the credential in plaintext. Whilst this solution effectively combats both of these issues, from an attackers perspective, this provides no added benefit as we have access to both data sources. .....

It would be nice if Jamf addressed this finally. They've ignored it for a while now despite definitely folks saying that the Encrypted Script Parameters workaround wasn't fully secure.

My feature request is a duplicate of first one linked below, but in it I'm specifically asking for the ability to obscure script parameter fields and to also encrypt the parameter. Some of these feature requests are about 3 to 4 years old now.

I'm hoping now that a security company has blogged about this that Jamf will give Jamf Script parameters a bit more priority and love.

Here are some feature requests related to script parameters that would give script parameters some nice improvements:
1. https://www.jamf.com/jamf-nation/feature-requests/4355/hide-script-parameter-option-for-password
2. https://www.jamf.com/jamf-nation/feature-requests/3630/more-script-parameters
3. https://www.jamf.com/jamf-nation/feature-requests/5889/allow-longer-script-arguments-and-argument-de...
4. https://www.jamf.com/jamf-nation/feature-requests/7091/add-text-descriptions-to-script-parameters
5. https://www.jamf.com/jamf-nation/feature-requests/5797/increase-character-limit-for-parameters-to-65...
6. https://www.jamf.com/jamf-nation/feature-requests/3988/script-parameter-types-mandatory-parameters

Vote these all up and add your comments.

Hoping Jamf is able to respond to this security issue in a prompt manner.

5 REPLIES 5

bpavlov
Honored Contributor

I've seen some feedback on Slack saying that admins should consider alternatives. I'd ask you to work off the assumption that the use case for needing to use a password is legitimate and then consider how other services/apps on your Mac are able to perform things like authentication securely. For example, right in Jamf Pro, you can use a policy to create a user account with a password. Surely, that's being done securely. I'm not sure what the solution here is. But it seems like improvements are possible.

jmariani
Contributor

WOW

bpavlov
Honored Contributor

No comment from Jamf after a week? :(

merps
Contributor III

bump

michael_devins
Contributor II
Contributor II

Happy to provide some guidance, @bpavlov. First, F-Secure has been a good steward of improving security and a good partner in bringing their research to Jamf before publishing. The research published in the blog aligns with security best practices covered in our existing customer resources ( Jamf Pro Security Overview, Jamf Pro Security Recommendations ). In addition, we will be publishing a series of blogs to make sure our customers are aware of how to best secure their devices and company data.

Jamf is continuously monitoring the security of our portfolio. We advise and guide customers to test and adopt the latest versions of our products to ensure you have all the most up-to-date security enhancements.