On 2024-05-31, Snowflake, one of Kandji's sub-processors, made a public disclosure describing "an increase in cyber threat activity targeting some of [Snowflake's] customers’ accounts."
Kandji's security team responded by monitoring based on the IOCs published by Snowflake. Based on this monitoring, no evidence of IOC activity against Kandji has been observed.
Additionally, Kandji is not one of the "limited number of Snowflake customers" that was affected.
Kandji has made inquiries to other sub-processors that depend on Snowflake. At this time there has been no indication that any other Snowflake dependent sub-processors that Kandji utilizes were affected by the aforementioned publically disclosed threat actor activity.
Session Timeout Enhancements
We’re committed to continuously improving the security of the Kandji Web App. With this in mind, we’re updating our session management protocols to better protect your data.
To ensure the security of your account, sessions will now expire after 24 hours of continuous use and automatically log out after 60 minutes of inactivity.
Why this matters
Your security is our priority. By shortening session times, we’re adding an extra layer of protection against unauthorized access, giving you peace of mind that access to your Apple fleet is secure.
Need assistance?
Our support team is ready to help with any questions or concerns you may have about these changes. Check out our Knowledge Base article, or reach out to us anytime - we’re here to ensure your experience is seamless and secure.
The Kandji Security team has investigated and continues to monitor the curl security advisory CVE-2023-38545 (curl SOCKS5 heap buffer overflow) disclosed on 11 October, 2023.
Kandji has assessed the risk for CVE-2023-38545 (curl SOCKS5 heap buffer overflow) using our internal processes and has determined that the vulnerability does not create a vector for exploitation in Kandji’s infrastructure. As there is not a vector for exploitation, Kandji will apply updates via our regular update processes instead of via an expedited process.
The SOCKS5 protocol is not in use in Kandji’s infrastructure and Kandji has no clients or services that communicate with non-Kandji infrastructure using SOCKS5.
CVE-2023-38545 only presents an attack surface in very specific use cases related to the use of the SOCKS5 protocol by libcurl or by the curl CLI tool with the limit-rate command line option configured with one of a set of specific non-default values.
As this attack surface is not present in Kandji infrastructure, Kandji infrastructure is not vulnerable to this attack.
Kandji consulted the following technical resources while assessing this risk:
Kandji's response to OpenSSL vulnerabilty CVE-2022-3786 (x.509 certificate validation stack buffer overflow)
IncidentsCopy linkThe Kandji Security team has investigated and continues to monitor the OpenSSL Security Advisory dated 01 November, 2022.
OpenSSL is an open-source library that is the most commonly used in web applications for secure data transfers. Websites often use OpenSSL to enable Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption.
On Tuesday, November 1st the OpenSSL Team released a security advisory about a newly discovered vulnerability within the openssl library which could affect the security of the operating systems and applications provided by several popular vendors.
The OpenSSL team provided the following overview of the vulnerability:
“An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution depending on stack layout for any given platform/compiler, [CVE-2022-3602]” the OpenSSL Project explained in its changelog version 3.0.7. An attacker can exploit CVE-2022-3786 just by creating a malicious email address to “overflow an arbitrary number of bytes containing the .
character (decimal 46) on the stack.”
Based on the statements from the OpenSSL team: To perform the attack, an attacker must either expose a TLS client to a malicious server. Conversely, in a vulnerable TLS server (web server, api endpoint, etc), this can be triggered if the server requests client authentication and a malicious client connects.
The OpenSSL team has not detected any incident of exploiting one of these vulnerabilities in the wild. Due to OpenSSL being so widely used, the potential magnitude of this vulnerability could have major implications for organizations spanning all sizes and industries, hence the urgency to patch and update systems.
As soon as Kandji learned of this vulnerability, we promptly evaluated the Kandji SaaS (Software-As-A-Service) platform, the Kandji Self Service App, and also all supporting systems to determine what might be impacted and methodically set about remediating any exposure.
It has been determined by Kandji Engineering and Security teams that the Kandji product does not utilize the affected versions of OpenSSL. As Kandji does not use the affected versions of OpenSSL , Kandji is not impacted by the openssl vulnerabilities: (CVE-2022-3602 and CVE-2022-3786).
Kandji continues to monitor the situation and does not expect to be impacted by any further developments or discoveries related to the OpenSSL issue.
If you think you may have discovered a vulnerability, please send us a note.