Patch Macs with 1Password Extended Access Management

Patch Macs with 1Password Extended Access Management

Jason Meller by Jason Meller on

In emergency situations, 1Password® Extended Access Management can get devices patched faster than MDM alone.

On February 13th, 2023, Apple released a series of OS updates to quickly mitigate several serious vulnerabilities (CVE-2023-23514 and CVE-2023-23529) in macOS and Safari. It appeared to be a worst-case scenario: a motivated unauthorized third-party could craft a specific payload to execute arbitrary code on unpatched devices.

This type of emergency patching situation is unfortunately all too common, and yet most admins don’t have good tools to effectively hasten the speed these devices get patched. With 1Password Extended Access Management’s integration with identity providers like Okta, Microsoft Entra, and Google Workspace, IT admins now have a powerful capability to patch devices faster than ever. Using 1Password Extended Access Management’s Device Trust solution allows Mac admins to update their fleets as fast as today.

In this blog post, I am going to detail how you can use our Zero Trust Access model to get your Macs patched ASAP. In the tutorial, we’ll use CVE-2023-23514 and CVE-2023-23529 as our examples.

Step 1: Write a new check

Even though 1Password Extended Access Management has built-in Checks for ensuring macOS has recent patches, we will want to create a separate Check for urgent vulnerabilities like these. Why? Well there are several reasons:

  • Creating separate checks will enable us to track the remediation of these vulnerabilities much easier.

  • We can use much more aggressive blocking rules than what is used in non-emergency situations (standard updates).

To get started, simply click Checks in the top navigation and then click the “Add New Checks” button in the upper-right. From there, select the “Build Your Own” tab, and then finally, “Start With a Blank Template.”

A screenshot showing a XAM custom check prompt.
I recommend naming the Check with the CVE number, something like `macOS CVE-2023-23514`

Click “Create New Draft” and then proceed to the next step.

Step 2: Write the check SQL

The most important part of any Check are the rules to find failing Devices. In 1Password Extended Access Management we write these rules using Osquery SQL. The SQL always should emit at least one row that contains a column called KOLIDE_CHECK_STATUS with a value of PASS or FAIL

For this Check, the following SQL does the trick:

WITH
reference_version AS (
  SELECT '13.2.1' AS minimum_version),
version_split AS (
  SELECT version AS current_version,
-- Split minimum_version strings
    CAST(SPLIT(minimum_version, ".", 0)AS int) AS min_ver_major,
    CAST(SPLIT(minimum_version, ".", 1)AS int) AS min_ver_minor,
    CAST(SPLIT(minimum_version, ".", 2)AS int) AS min_ver_patch,
-- Split installed_version strings
    COALESCE(major, 0) AS current_ver_major,
    COALESCE(minor, 0) AS current_ver_minor,
    COALESCE(patch, 0) AS current_ver_patch
   FROM os_version
   LEFT JOIN reference_version
),
failure_logic AS (
  SELECT *,
    CASE
-- Scope to only 13.x devices
      WHEN  current_ver_major = 13
       AND (
-- Check major versions
           (min_ver_major >  current_ver_major)
-- Check minor versions
        OR (
            min_ver_major >= current_ver_major
        AND min_ver_minor >  current_ver_minor)
-- Check patch versions
        OR (
            min_ver_major >= current_ver_major
        AND min_ver_minor >= current_ver_minor
        AND min_ver_patch >  current_ver_patch)
    )
      THEN 'FAIL'
-- Passing Condition: Pass all 12.x versions or < 13.2.1 versions
      WHEN current_ver_major < 13
        OR (
           min_ver_major <= current_ver_major
       AND min_ver_minor <= current_ver_minor
       AND min_ver_patch <=  current_ver_patch
    )
      THEN 'PASS'
      ELSE 'UNKNOWN'
    END AS KOLIDE_CHECK_STATUS
  FROM version_split
)
SELECT * FROM failure_logic;

Paste the SQL into the editor. Once inserted, do a test run against a few devices and add an example to the sidebar. This will be useful for the last step when we fill out the Privacy Center information.

A screenshot of the XAM custom check screen after putting in sql code.

Once you’ve tested the query and added an example failure to the sidebar, you are ready to proceed to the next tab, named “Check Details.”

Step 3: Write check details

The “Check Details” section lets other admins know what problem this Check detects on Devices. It also allows us to define an issue title that will be display to our end-users on the sign in page.

Here is the info I supplied:

  • Check Name: macOS CVE-2023-23514

  • Issue Title: macOS Urgent Patch Required

  • Check Description: This Check verifies the Mac is patched against high severity vulnerability CVE-2023-23514 which impacts macOS Ventura systems.

Once entered in, your screen should look like the screenshot below:

A screenshot of XAM custom check details.

From here, let’s move on to writing the text our end users will see when they attempt to remediate the problem. This is done in the “Notification Text” step.

Step 4: Write end-user remediation instructions

This critical step ensures end users have all the information they need to solve this problem on their own.

On this page there are two important fields to fill out, one being the rationale which explains to users why this is important to do. Here is the markdown I wrote:

  Your macOS version needs to be urgently updated to address a serious
  vulnerability that may allow an unauthorized third-party to execute code on
  your system without permission. For more information see
  [Apple's Support Article](https://support.apple.com/en-us/HT213633)

The second are the fix instructions the end user should follow to fix the issue. In our case, since this vulnerability only impacts macOS 13, we want our instructions to detail how to go through that process using the updated System Settings app.

1. Click the Apple icon in the top left corner of your screen and then select "System Settings" from the drop-down menu.

2. In the left menu pane of the System Settings window, select the menu item labeled "General".

3. Once in the "General" menu, select the submenu labeled "Software Update".

4. Clicking the "Update Now" button will install all missing updates, potentially including major version updates.

5. To install only the missing security update(s), click the "More info" button. This will give you details about each update and you can select specific updates to install. Your device is failing for the following security updates:

6. With the missing update(s) selected, click the "Install" button. If you do not see those updates available, you can use the keyboard shortcut: 'Command + R' to refresh the "Software Update" settings panel. This will force your device to search for additional updates.

7. Clicking the "Update Now" button will install *all* missing updates, potentially including major version updates.

8. To install *only* the missing security update(s), click the "More info" button. This will give you details about the available patches. From this list look for the update that says `macOS Ventura 13.1.2` (or higher).

9. With the missing update(s) selected, click the "Install" button.

**Please Note**: If you do not see those updates available, you can use the keyboard shortcut: `Command + R` to refresh the "Software Update" settings panel. This will force your device to search for additional updates.

With both of these fields filled out, the tab should look something like the screenshot below.

A screenshot of XAM macOS fix instructions.

If that’s looking good, then let’s quickly deal with the Privacy Center tab. This Check does not have any impact on Privacy, so we can simply select the example we generated in the Osquery SQL tab and type in a short-message letting end-users know there isn’t any personal data collected for this Check.

A screenshot of the XAM custom check in the privacy center.

With this last step done, we can now publish the Check.

Step 5: Publishing, enabling, and blocking

To finish publishing simply click the blue button in the upper-right corner that says “Review & Publish Check.” You’ll see a confirmation screen like the one below:

A screenshot of the XAM custom check preview.

Simply click, Publish Check to complete the process. Then in the pop-up, you can click “Enable Check” as shown below:

A screenshot showing a XAM check once it's enabled.

Once enabled, click the “View Check Results” link that appears, and then the action menu in the upper-right, and finally Configure. This will bring up the sidebar where you can set the blocking status.

A screenshot showing the XAM check sidebar to set a blocking status.

As we said in the intro, this is where you can determine how aggressively you want to mitigate this vulnerability, balancing that around the productivity of end users. For our internal use, this vulnerability was serious enough to warrant an immediate block, but giving folks an extra day is also a reasonable choice depending on your risk tolerance. And for other CVEs, you might allow users even more time before they’re blocked. If that’s the case, simply click the checkbox that warns you about blocking devices, and decide on a date in the future when you’d like the blocking to start.

Once you have the Check set up, the blocking will look something like this:

A screenshot showing the blocking status and end result of an edited XAM check.

And that’s it! The next time your users sign into any app protected by 1Password Extended Access Management, they will be greeted with the following:

A screenshot of the pop-up your end-users will get once they are failing a check.

Appendix: Just the Checks

If you’ve gotten the hang of the steps above and just want a concise format to work off of to create these or similar Checks, you can use the markdown below as a reference as you build your own Checks.

CVE-2023-23514 (macOS 13 only)

---
name: macOS CVE-2023-23514
issue_title: macOS Urgent Patch Required
topics:
- custom-check
platforms:
- darwin
---
WITH
reference_version AS (
  SELECT '13.2.1' AS minimum_version),
version_split AS (
  SELECT version AS current_version,
-- Split minimum_version strings
    CAST(SPLIT(minimum_version, ".", 0)AS int) AS min_ver_major,
    CAST(SPLIT(minimum_version, ".", 1)AS int) AS min_ver_minor,
    CAST(SPLIT(minimum_version, ".", 2)AS int) AS min_ver_patch,
-- Split installed_version strings
    COALESCE(major, 0) AS current_ver_major,
    COALESCE(minor, 0) AS current_ver_minor,
    COALESCE(patch, 0) AS current_ver_patch
   FROM os_version
   LEFT JOIN reference_version
),
failure_logic AS (
  SELECT *,
    CASE
-- Scope to only 13.x devices
      WHEN  current_ver_major = 13
       AND (
-- Check major versions
           (min_ver_major >  current_ver_major)
-- Check minor versions
        OR (
            min_ver_major >= current_ver_major
        AND min_ver_minor >  current_ver_minor)
-- Check patch versions
        OR (
            min_ver_major >= current_ver_major
        AND min_ver_minor >= current_ver_minor
        AND min_ver_patch >  current_ver_patch)
    )
      THEN 'FAIL'
-- Passing Condition: Pass all 12.x versions or < 13.2.1 versions
      WHEN current_ver_major < 13
        OR (
           min_ver_major <= current_ver_major
       AND min_ver_minor <= current_ver_minor
       AND min_ver_patch <=  current_ver_patch
    )
      THEN 'PASS'
      ELSE 'UNKNOWN'
    END AS KOLIDE_CHECK_STATUS
  FROM version_split
)
SELECT * FROM failure_logic;

# Description
This Check verifies the Mac is patched against high severity vulnerability CVE-2023-23514 which impacts macOS Ventura systems.

# Rationale
Your macOS version needs to be urgently updated to address a serious vulnerability that may allow an unauthorized third-party to execute code on your system without permission. For more information see [Apple's Support Article](https://support.apple.com/en-us/HT213633)

# Fix Instructions
1. Click the Apple icon in the top left corner of your screen and then select "System Settings" from the drop-down menu.

2. In the left menu pane of the System Settings window, select the menu item labeled "General".

3. Once in the "General" menu, select the submenu labeled "Software Update".

4. Clicking the "Update Now" button will install all missing updates, potentially including major version updates.

5. To install only the missing security update(s), click the "More info" button. This will give you details about each update and you can select specific updates to install. Your device is failing for the following security updates:

6. With the missing update(s) selected, click the "Install" button. If you do not see those updates available, you can use the keyboard shortcut: 'Command + R' to refresh the "Software Update" settings panel. This will force your device to search for additional updates.

7. Clicking the "Update Now" button will install *all* missing updates, potentially including major version updates.

8. To install *only* the missing security update(s), click the "More info" button. This will give you details about the available patches. From this list look for the update that says `macOS Ventura 13.1.2` (or higher).

9. With the missing update(s) selected, click the "Install" button.

**Please Note**: If you do not see those updates available, you can use the keyboard shortcut: `Command + R` to refresh the "Software Update" settings panel. This will force your device
to search for additional updates.

# Privacy Info
No personal or private information is collected for this Check.

CVE-2023-23529 (macOS 11 & 12)

---
name: Safari Vulnerability (CVE-2023-23529)
issue_title: Safari Urgent Patch Required
topics:
- custom-check
platforms:
- darwin
---
WITH
reference_version AS (
  SELECT '13.2.1' AS minimum_version
),
version_split AS (
  SELECT version AS current_version,
-- Split minimum_version strings
    CAST(SPLIT(minimum_version, ".", 0)AS int) AS min_ver_major,
    CAST(SPLIT(minimum_version, ".", 1)AS int) AS min_ver_minor,
    CAST(SPLIT(minimum_version, ".", 2)AS int) AS min_ver_patch,
-- Split installed_version strings
    COALESCE(major, 0) AS current_ver_major,
    COALESCE(minor, 0) AS current_ver_minor,
    COALESCE(patch, 0) AS current_ver_patch
   FROM os_version
   LEFT JOIN reference_version
),
failure_logic AS (
  SELECT *,
    CASE
-- Scope to only 13.x devices
      WHEN  current_ver_major = 13
       AND (
-- Check major versions
           (min_ver_major >  current_ver_major)
-- Check minor versions
        OR (
            min_ver_major >= current_ver_major
        AND min_ver_minor >  current_ver_minor)
-- Check patch versions
        OR (
            min_ver_major >= current_ver_major
        AND min_ver_minor >= current_ver_minor
        AND min_ver_patch >  current_ver_patch)
    )
      THEN 'FAIL'
-- Passing Condition: Pass all 12.x versions or < 13.2.1 versions
      WHEN current_ver_major < 13
        OR (
           min_ver_major <= current_ver_major
       AND min_ver_minor <= current_ver_minor
       AND min_ver_patch <=  current_ver_patch
    )
      THEN 'PASS'
      ELSE 'UNKNOWN'
    END AS KOLIDE_CHECK_STATUS
  FROM version_split
)
SELECT * FROM failure_logic;

# Description
CVE-2023-23529 was recently patched and disclosed by Apple. This vulnerability affects macOS 11 _(Big Sur)_ and macOS 12 _(Monterey)_ devices, running the Safari web browser. The vulnerability is [described by Apple](https://support.apple.com/en-us/HT213638) as:

"Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited."

# Rationale
Devices running a vulnerable version of the Safari web browser are at risk of maliciously crafted web content leading to arbitrary code execution. Due to the severity of this risk, users should update Safari as soon as possible.

Safari versions prior to `16.3.1` are vulnerable.

You are currently running version: `{{issue.current_version'}}`

# Fix Instructions
To update Safari, follow the steps below:

1. Open System Preferences by clicking the Apple icon at the top-left of your screen, and clicking the item in the drop-down labeled **System Preferences**
2. In System Preferences, click the preference pane item labeled **Software Update** _(gear icon)_.
3. The Software Update preference pane should automatically begin checking for available updates.
4. When the Safari update is displayed, click the button labeled **Update Now** or **Install Now**
5. You may be presented with a list of available updates, ensure the checkbox next to the Safari update is checked and click the **Install Now** button.

Note: If you currently have any other failing Checks which pertain to missing macOS updates, they may also be resolved by following these fix instructions

# Privacy Info
This Check returns information only about the current version of your Safari web browser, no private information is included.

If you’re not a current 1Password Extended Access Management customer but you want to learn more about how our device trust solution works, reach out for a demo!

VP, Product Management

Jason Meller - VP, Product Management Jason Meller - VP, Product Management

Tweet about this post