This article is more than 1 year old
Jamf emits mystery security fix for Pro macOS, iOS wrangler, keeps admins in dark by censoring chatter
iAdmins steaming over handling of 'critical' patch rollout
MacOS network admins are being advised to update their copies of the Jamf Pro management software following the disclosure of a critical security flaw.
The Jamf Pro 10.15.1 update includes among its fixes a patch for a security flaw that, depending upon the version being used, could allow for file deletions or remote code execution.
No attacks have been reported in the wild.
The flaw only impacts Jamf Pro server meaning end users who run Mac and iOS devices managed by Jamf are not vulnerable. This is a patch that will mostly just concern admins who use Jamf Pro to manage their devices.
That said, if a company's Jamf Pro server is compromised, it's pretty much game over for any of that server's managed devices as well.
"This vulnerability does not pose a risk to private data or managed devices. It does have the potential to impact the integrity and availability of your web server," Jamf product marketing manager Garrett Denney told customers.
"Cloud customers will be automatically upgraded during the upgrade window (Sept 28-29). Premium and Custom customers can contact their Customer Success representative to schedule an upgrade. On-premise customers can download the installer via the My Assets page on Jamf Nation."
The flaw, which has not yet been assigned a CVE number, is exploited when an attacker sends network packages to a vulnerable box.
"A request containing specially crafted JSON that is sent to certain endpoints in Jamf Pro could result in the deletion of files on the server and/or Denial of Service," Jamf CISO Aaron Kiemele said in a statement to El Reg.
"In affected versions of Jamf Pro prior to 10.14.0, these requests could also result in remote code execution."
As Kiemele noted, the severity of the vulnerability depends on your version of Jamf Pro. For companies running versions 9.4 through 10.13, the risk is the highest as a successful attack will open the door to remote code execution.
On version 10.14 through 10.15, the attacker would be able to delete files on the server, but not install or execute code.
While most devices were not vulnerable, Jamf's handling of the patch release and its support for customers leaves a lot to be desired. Initially, Jamf only released a support post that told admins there was a new version available and they would need to update in order to address a "critical security vulnerability."
Naturally, and rightly so, this drew protests from admins who explained that they needed details such as CVE numbers and CVSS scores in order to properly assess the flaw and plan the patching.
Jamf, however, said it would only provide those details to individual administrators via email, and posts relaying that information to others were promptly deleted by moderators.
It was only after angry customers reposted the emails on public sites including GitHub that the details on the vulnerability were made public. ®
Biting the hand that feeds IT
