This was the case for Jamf, where we found a HTTP client defined in /WEB-INF/classes/com/jamfsoftware/jss/utils/HTTPUtils. When auditing enterprise software, it is not uncommon to find a HTTP client wrapper that is used by the rest of the code base. This proved to be a very effective mechanism when finding dangerous functionality inside Jamf regardless of whether or not authentication was required.ĭue to our previous experiences with large enterprise products and SSRF, we decided to pinpoint what HTTP clients were in use by Jamf and then find all references to these HTTP clients. After doing this exercise and not discovering any serious issues, our team looked for sinks that could lead to dangerous functionality and then reverse engineered their way back up to the source. We went through every route defined in the web.xml file systematically and ruled out all of the pre-authentication attack surface. The CVE’s associated with the SSRF vulnerabilities discovered in Jamf Pro can be found below: This vulnerability also existed in Jamf’s SaaS offering (Jamf cloud) leading to AWS metadata access in Jamf’s account. However, when looking under the hood at some of the post-authentication functionalities that Jamf Pro had to offer, we discovered a server-side request forgery vulnerability within the Jamf product. Generally, we were impressed that we were not able to find any serious pre-authentication issues, and credit is due to Jamf for this. In particular, we were interested in pre-authentication vulnerabilities, but after spending a huge chunk of time auditing the pre-authentication attack surface, we concluded that a pretty good job had been done at locking this down. This redirects to the Duo Access Gateway login page. To us, when we saw this paradigm of deploying Jamf Pro to the internet and having it externally exposed, our security research team was quite curious about potential vulnerabilities that existed within it. You can also access Jamf Pro by using your Jamf Pro login URL. When assessing an attack surface, we came across an instance of Jamf Pro installed on premise.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |