- Jamf Nation Community
- Products
- Jamf Pro
- Jamfing for Joy: Attacking macOS in Enterprise
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Jamfing for Joy: Attacking macOS in Enterprise
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-20-2020 10:57 AM
https://labs.f-secure.com/blog/jamfing-for-joy-attacking-macos-in-enterprise/
Just a small portion of the blog post by F-Secure which talks about the popular workaround that Jamf admins use to obscure passwords: https://github.com/jamf/Encrypted-Script-Parameters
The other case we commonly find is credentials passed into the script as arguments. In the JSS this looks something like this. Whilst these credentials don’t get written to disk, if we look at the process listings when a script is executing, we observe something similar to this. This is great news for us! The arguments are passed to the script like any other program, which means we can read them straight out of the process listings. Even better, we’re able to pull this information from a low privilege account, as even a low privilege account can see the processes and arguments of processes executing as root using the utility ps. We’ve seen local administrator credentials passed to devices in this way, so in the right environment this could serve as a handy privesc. ..... We wanted to give a special nod to the final case we’ve observed in the wild. In this variant, we can see encrypted versions of the credentials stored in the arguments, and all the necessary information to decrypt the credential in the body of the script itself. We’ve seen two reasons that organisations are doing this. Firstly, this prevents everyone with access to the JSS from being able to view (potentially privileged) plaintext credentials. Alternatively, this prevents a SIEM collecting process logs from recording the credential in plaintext. Whilst this solution effectively combats both of these issues, from an attackers perspective, this provides no added benefit as we have access to both data sources. .....
It would be nice if Jamf addressed this finally. They've ignored it for a while now despite definitely folks saying that the Encrypted Script Parameters workaround wasn't fully secure.
My feature request is a duplicate of first one linked below, but in it I'm specifically asking for the ability to obscure script parameter fields and to also encrypt the parameter. Some of these feature requests are about 3 to 4 years old now.
I'm hoping now that a security company has blogged about this that Jamf will give Jamf Script parameters a bit more priority and love.
Here are some feature requests related to script parameters that would give script parameters some nice improvements:
1. https://www.jamf.com/jamf-nation/feature-requests/4355/hide-script-parameter-option-for-password
2. https://www.jamf.com/jamf-nation/feature-requests/3630/more-script-parameters
3. https://www.jamf.com/jamf-nation/feature-requests/5889/allow-longer-script-arguments-and-argument-de...
4. https://www.jamf.com/jamf-nation/feature-requests/7091/add-text-descriptions-to-script-parameters
5. https://www.jamf.com/jamf-nation/feature-requests/5797/increase-character-limit-for-parameters-to-65...
6. https://www.jamf.com/jamf-nation/feature-requests/3988/script-parameter-types-mandatory-parameters
Vote these all up and add your comments.
Hoping Jamf is able to respond to this security issue in a prompt manner.
Labels:
- Labels:
-
Jamf Pro
-
Scripts
-
Security Management
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-21-2020 05:16 AM
I've seen some feedback on Slack saying that admins should consider alternatives. I'd ask you to work off the assumption that the use case for needing to use a password is legitimate and then consider how other services/apps on your Mac are able to perform things like authentication securely. For example, right in Jamf Pro, you can use a policy to create a user account with a password. Surely, that's being done securely. I'm not sure what the solution here is. But it seems like improvements are possible.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-21-2020 05:44 AM
WOW
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-24-2020 06:45 AM
No comment from Jamf after a week? :(
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-24-2020 07:26 AM
bump
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 04-24-2020 12:21 PM
Happy to provide some guidance, @bpavlov. First, F-Secure has been a good steward of improving security and a good partner in bringing their research to Jamf before publishing. The research published in the blog aligns with security best practices covered in our existing customer resources ( Jamf Pro Security Overview, Jamf Pro Security Recommendations ). In addition, we will be publishing a series of blogs to make sure our customers are aware of how to best secure their devices and company data.
Jamf is continuously monitoring the security of our portfolio. We advise and guide customers to test and adopt the latest versions of our products to ensure you have all the most up-to-date security enhancements.
