JAMF Software has a number of solutions for fleet management of Apple products, including their own Apple MDM. The issue discussed in this post applies to the self-hosted JAMF Casper Suite and deploying a JSS. This suite of tools includes software that will help track inventory, manage devices, implement security policies, and deployment of software and scripts to end point Apple product clients. With the self-hosted solution organizations are responsible for SSL certificate generation for use with the JSS. JAMF provides an outline to secure your JSS.
The “JSS Settings” section of the document outlines additional settings, most notably: “Enable SSL certificate verification”. This setting is not on by default. The reason for this is during the configuration of the JSS self-hosted deployment option, an organization is responsible for ensuring that SSL/TLS certificates are properly deployed before enabling this setting.
According to the researchers at Okta
After conducting a successful MITM attack, with the “Enable SSL certificate verification” box not checked, we noticed that JSS client server communications are clear text XML usually encapsulated in SSL/TLS communications. Contained in the XML data blobs from the server are policy enforcement actions, packages and scripts to deploy, and a randomly generated management password for the JAMF admin account on the client.
If the MITM attack is successful, an attacker could deploy scripts and packages to the clients and steal the management password for that particular endpoint client.
The mitigation solution to this attack is simple. The organization needs to have the SSL certificate generated before installing JSS. During the JSS installation, check the box for “Enable SSL certificate verification”.
Technical Details And POF
Source: Okta POF (Proof Of Concept)