A security duo composed by Jesse Endahl, CPO and CSO at macOS management firm Fleetsmith, and Max Bélanger, staff engineer at Dropbox, demonstrated at the Black Hat security conference how a persistent attacker could compromise brand new Mac systems in enterprise environments on the first boot.
The experts leverage the Apple mobile device management protocol to retrieve the manifest and install a different application than the one chosen by the victim.
MDM allows administrators in enterprises to remotely manage macOS and iOS devices, it allows to easily install or remove applications, lock devices or securely erase them.
Every time a new device is added in an enterprise, it receives a Configuration Profile, an operation that can be performed automatically using the Device Enrollment Program (DEP).
macOS computers automatically contact the MDM server during the boot or after a factory reset procedure.
The DEP profile sent to the device is created by the MDM server and includes information related to software installation (i.e. server’s URL, pinned certificates).
By using the MDM command InstallApplication, administrators can install a specified application. The command uses a manifest URL that returns an XML file containing all the information needed to install the application.
The experts explained that it is possible to manipulate this manifest to install a specific application by carrying out a man-in-the-middle (MitM) attack.
The attack is not easy to conduct, anyway, a sophisticated nation-state actor or an ISP could carry out it.
The attack can exploit this technique to force the installation of a malicious application as soon as the macOS computers connect to the MDM server.
The security duo reported the hacking technique to Apple in April and early May Apple acknowledged it. Apple addressed the issue in July with the release of macOS version 10.13.6.
“We disclosed the issue to Apple shortly after discovering it. Based on our feedback, a fix was quickly implemented in the form of a new MDM command: InstallEnterpriseApplication, which is now documented publicly” reads the research paper published by the experts.
“This command (available as of macOS 10.13.6) allows MDM vendors to provide specific certificates to pin the request to the ManifestURL (using the new ManifestURLPinningCerts property of said command). It is up to the MDM vendor to implement this, but this serves as an adequate solution to this problem. We will take a closer look at how the vulnerability was addressed.”
With the new release, Apple introduced the InstallEnterpriseApplication MDM that allows MDM vendors to provide certificates to pin the request to the manifest URL.