![]() This was the case for Jamf, where we found a HTTP client defined in /WEB-INF/classes/com/jamfsoftware/jss/utils/HTTPUtils. When auditing enterprise software, it is not uncommon to find a HTTP client wrapper that is used by the rest of the code base. This proved to be a very effective mechanism when finding dangerous functionality inside Jamf regardless of whether or not authentication was required.ĭue to our previous experiences with large enterprise products and SSRF, we decided to pinpoint what HTTP clients were in use by Jamf and then find all references to these HTTP clients. After doing this exercise and not discovering any serious issues, our team looked for sinks that could lead to dangerous functionality and then reverse engineered their way back up to the source. We went through every route defined in the web.xml file systematically and ruled out all of the pre-authentication attack surface. #JAMF PRO DEMO PRO#The CVE’s associated with the SSRF vulnerabilities discovered in Jamf Pro can be found below: Devices automatically enroll into Jamf Pro management once the user completes the simple Setup Assistant steps and can be pre-configured with all the software, apps and settings they need to be successful. This vulnerability also existed in Jamf’s SaaS offering (Jamf cloud) leading to AWS metadata access in Jamf’s account. Through an intuitive self-enrollment process, users are up and running quickly. However, when looking under the hood at some of the post-authentication functionalities that Jamf Pro had to offer, we discovered a server-side request forgery vulnerability within the Jamf product. Generally, we were impressed that we were not able to find any serious pre-authentication issues, and credit is due to Jamf for this. Jamf for Jira is a Jamf Pro integration for Jira Service Management, Jira Software for class. #JAMF PRO DEMO HOW TO#In particular, we were interested in pre-authentication vulnerabilities, but after spending a huge chunk of time auditing the pre-authentication attack surface, we concluded that a pretty good job had been done at locking this down. A demo video about how to configure and work with Jamf for Jira. To us, when we saw this paradigm of deploying Jamf Pro to the internet and having it externally exposed, our security research team was quite curious about potential vulnerabilities that existed within it. When assessing an attack surface, we came across an instance of Jamf Pro installed on premise. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |