Applies to the following Sophos product(s) and version(s)
Mac Endpoint 9.7.4+
Operating systems
MacOS
Overview
In July 2017, security researcher Partick Wardle presented a vulnerability at DEF-CON about how to perform a privilege escalation attack on MacOS by using 3rd party installers such as Sophos'.
We published an article at the time about how to check the validity of our installer manually. https://community.sophos.com/kb/en-us/127252
In the latest installer for Sophos Central we have implemented security changes to mitigate this vulnerability. Part of this is to ensure the permissions of several paths are the correct OS default, to prevent this exploit. It will not install if the permissions are not correct as per the table below in the What to Do section.
The following error can be seen in the SophosDiagnostics logs after the failure:
2018-02-07 10:37:55.963 [com.sophos.bootstrap.helper 7135:48794 install debug] to path:(null)
2018-02-07 10:37:55.965 [com.sophos.bootstrap.helper 7135:48794 install debug] to secure location: (null)
2018-02-07 10:37:55.965 [com.sophos.bootstrap.helper 7135:48794 install debug] insecurity detection: Error Domain=com.sophos.installer Code=30 "Error: path is not secure. /Library"
This is due to the security scenario in which the specified folder is not set to the OS default security. Sophos Home requires the below listed levels of security in order to install:
What to do
Ensure the following folders to have the below listed permissions /owners:
Note: Current permissions can be found running the terminal command: ls -la <foldername>
Location | Permission | To check permissions |
---|---|---|
/ | drwxr-xr-x root wheel (755 root wheel) | ls -la / (Look at .) |
/Library | drwxr-xr-x root wheel (755 root wheel) | ls -la / (Look at Library) |
/Library/Application Support | drwxr-xr-x root admin (755 root admin) | ls -la /Library (look at Application Support) |
If any of the above do not match your current folders permissions, Sophos Home will not be able to install due to security risks (Since installs inherit permissions).
Steps to fix permissions/wrong owner/group:
Please read this first:
These folders are protected by System Integrity Protection (SIP) (https://support.apple.com/en-ca/HT204899) by default. Changes can only be made to it when this is turned off.
Second:
This will need to be done for any of the three folders which do not match. Repeat step 5 with the appropriate folders as needed, and please see the note at the end.
- Reboot into Recovery Mode (Command+R on boot)
- Open Utilities->Terminal
- Run the command (This turns off SIP): csrutil disable
- Reboot
- Open a Terminal, run: sudo chmod 755 <folder>
- Reboot into Recovery Mode (Command+R on boot)
- Open Utilities->Terminal
- Run the command (This turns SIP on): csrutil enable
- Reboot
- Run our install
Note: If the owner or group are not correct (In the ls -la <parent>) then this can be changed by adding the command "sudo chown root:wheel /", "sudo chown root:wheel /Library" or "sudo chown root:admin for /Library/Application\ Support" depending on the case after step 5
Comments
1 comment
Hi
Please sign in to leave a comment.