SSRF vulnerability patched in Jamf Pro mobile security platform

Apple MDM service forced to execute arbitrary web requests

A vulnerability in Jamf Pro, a popular mobile device management (MDM) platform for Apple devices, allowed attackers to stage server-side request forgery (SSRF) attacks on the application’s servers, security researchers at Assetnote have found.

SSRF is a type of web security vulnerability that allows attackers to force a web server to make HTTP requests to arbitrary domains. It can lead to all kinds of malicious activity, including data theft and remote code execution.

HTTP sinks

The Assetnote researchers came across an on-premise installation of Jamf Pro while examining the attack surface of a client. Since Jamf Pro is usually exposed to the internet, the researchers became interested in potential vulnerabilities it could have.

They initially looked for pre-authentication vulnerabilities that would be accessible to attackers who did not have valid credentials in the system. Having found none, they sought post-authentication bugs, and during their probe, they found an HTTP sink function that made requests to external resources. This became their window to SSRF attacks.

“From my experience, in most enterprise applications, there is a need to make HTTP requests to external sources. This pattern is worth reviewing because it can often lead to SSRF,” Shubham Shah, the co-founder and CTO of Assetnote, told The Daily Swig.

Making arbitrary requests through the Jamf server

“My past experiences also taught me that when it is not possible to find sources in the code easily, to try and find the sinks and work your way backward to the source,” Shah said.

A little more digging into Jamf’s source code led the researchers to a page that directly sent a user-supplied URL to the HTTP sink function. This enabled the researchers to have the Jamf server execute an arbitrary web request.

Since it was a post-authentication bug, the SSRF vulnerability was not exploitable by attackers who didn’t have valid credentials. But Shah warned against underestimating such bugs.

“Given that it is possible to perform brute-force attacks against users of Jamf Pro, I see the impact to be of high nature,” he said. “An attacker can attempt to brute-force valid credentials to the Jamf Pro instance and then leverage this bug to access the internal network.

“Since this bug is post-authentication, I see it being used in an exploitation chain once access to Jamf is achieved.”

Jamf also has a cloud-hosted version, in which the SSRF could have a critical impact. The researchers found that it was possible to obtain temporary security credentials to Jamf’s AWS environment through the bug.

Jamf employed a web application firewall (WAF) rule to block exploitation of the bug on cloud instances until a patch was later applied.

Securing HTTP wrappers

Security bugs in HTTP wrappers crop up often in enterprise web applications, which means developers should be extra careful when using them.

“For convenience reasons, I have seen HTTP wrappers being implemented in code bases. When identifying potential HTTP requests being made by the application, we must identify all the locations in code that may perform requests.

“This can sometimes be missed because of the many ways that an HTTP client is initialized and used. By finding any abstractions that make HTTP calls, you can then identify all locations in code that makes use of this abstraction,” he said. “This can lead to discoveries like the bug found in Jamf Pro.”

Check out the Assetnote blog for full technical details.