CVE-2018-10465 in Jamf Pro
Summary
by MITRE
Jamf Pro 10.x before 10.3.0 has Incorrect Access Control. Jamf Pro user accounts and groups with access to log in to Jamf Pro had full access to endpoints in the Universal API (UAPI), regardless of account privileges or privilege sets. An authenticated Jamf Pro account without required privileges could be used to perform CRUD actions (GET, POST, PUT, DELETE) on UAPI endpoints, which could result in unauthorized information disclosure, compromised data integrity, and data loss. For a full listing of available UAPI endpoints and associated CRUD actions you can navigate to /uapi/doc in your instance of Jamf Pro.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/08/2020
The vulnerability described in CVE-2018-10465 represents a critical access control flaw within Jamf Pro version 10.x prior to 10.3.0, fundamentally undermining the security model of the platform. This issue manifests as an improper access control condition where user accounts and groups that possess basic login credentials to Jamf Pro are granted unrestricted access to the Universal API (UAPI) endpoints. The flaw exists at the authorization layer, where the system fails to properly enforce privilege-based access controls for API operations. According to CWE-284, this vulnerability falls under the category of improper access control, specifically involving insufficient authorization checks that allow unauthorized users to bypass normal security restrictions. The affected system architecture permits any authenticated user to perform all four CRUD operations across the entire UAPI surface, completely ignoring the intended privilege separation mechanisms that should restrict access based on user roles and permissions.
The operational impact of this vulnerability extends far beyond simple unauthorized access, creating substantial risks for enterprise environments that rely on Jamf Pro for device management and security operations. An attacker exploiting this vulnerability could execute GET requests to retrieve sensitive information from managed endpoints, POST operations to create malicious configurations or policies, PUT modifications to alter existing device settings, and DELETE actions to remove critical system components or data. This comprehensive access capability directly maps to several ATT&CK techniques including T1078 for valid accounts, T1566 for credential access, and T1005 for data from local system. The vulnerability essentially renders the privilege management system ineffective, allowing low-privilege users to perform actions typically restricted to administrators or security personnel. The UAPI endpoints, which serve as the primary interface for managing devices and configurations, become completely exposed to unauthorized modification, potentially leading to complete system compromise.
Organizations using vulnerable versions of Jamf Pro face significant risks including unauthorized information disclosure where sensitive endpoint data, user information, and system configurations can be accessed without proper authorization. The potential for data integrity compromise is equally concerning as malicious actors could modify device configurations, install unwanted software, or alter security policies that protect the enterprise network. Data loss scenarios become possible through deletion operations that could remove critical system components or user data from managed devices. The vulnerability's exploitation requires only basic authentication credentials, making it particularly dangerous as it can be leveraged by insiders or external attackers who have obtained legitimate login information. Organizations should immediately implement the recommended remediation measures including upgrading to Jamf Pro version 10.3.0 or later, which addresses the access control implementation. Additionally, security teams should conduct comprehensive audits of user accounts and privilege assignments, implement network segmentation to limit API access, and monitor for unusual API activity patterns that might indicate exploitation attempts. The vulnerability underscores the importance of proper access control implementation and the need for regular security assessments to identify and remediate authorization flaws that could compromise entire enterprise security infrastructures.