Contents

Tutorials

How to Use Kolide to Patch Vulnerable Macs

Kolide can get devices patched faster than using only MDM in emergency situations.

Jason Meller

On February 13th, Apple released a series of OS updates to quickly mitigate several serious vulnerabilities (CVE-2023-23514 and CVE-2023-23529) in macOS and Safari. The precise details of the vulnerabilities are still under embargo at the time of this writing, but it appears to be a worst-case scenario: a motivated unauthorized third-party can craft a specific payload to execute arbitrary code on an unpatched devices.

This type of emergency patching situation is unfortunately all too common, and yet most admins don’t have good tools to effectively hasten the speed these devices get patched. With Kolide’s recently announced Okta Integration, IT Admins now have a powerful capability to patch devices faster than ever. Using Kolide’s new integration will allow Mac Admins to update their fleets as fast as today.

What Kolide employee’s are seeing right now as they try to sign into their SaaS apps

In this blog post, I am going to detail how you can use our Zero Trust Access model to get your Macs patched ASAP. In the tutorial we’ll cover CVE-2023-23514 and then also give you the info for CVE-2023-23529.

Note: If you are just looking for the Check info: skip to the appendix

Step 1: Write a New Check

Even though Kolide has built-in Checks for ensuring macOS has recent patches, we will want to create a separate Check for each of these vulnerabilities. Why? Well there are several reasons:

  • Creating separate checks will enable us to track the remediation of these vulnerabilities much easier

  • We can use much more aggressively blocking rules than what is used in non-emergency situations (standard updates)

To get started, simply click Checks in the top navigation and then click the Add New Checks button in the upper-right. From there, select the Build Your Own tab, and then finally Start With a Blank Template.

I recommend naming the Check with the CVE number, something like “macOS CVE-2023-23514”

Click Create New Draft and then proceed to the next step.

Step 2: Write the Check SQL

The most important part of any Check are the rules to find failing Devices. In Kolide we write these rules using Osquery SQL. The SQL always should emit at least one row that contains a column called KOLIDE_CHECK_STATUS with a value of PASS or FAIL

For this Check, the following SQL does the trick:

WITH
reference_version AS (
  SELECT '13.2.1' AS minimum_version),
version_split AS (
  SELECT version AS current_version,
-- Split minimum_version strings
    CAST(SPLIT(minimum_version, ".", 0)AS int) AS min_ver_major,
    CAST(SPLIT(minimum_version, ".", 1)AS int) AS min_ver_minor,
    CAST(SPLIT(minimum_version, ".", 2)AS int) AS min_ver_patch,
-- Split installed_version strings
    COALESCE(major, 0) AS current_ver_major,
    COALESCE(minor, 0) AS current_ver_minor,
    COALESCE(patch, 0) AS current_ver_patch
   FROM os_version
   LEFT JOIN reference_version
),
failure_logic AS (
  SELECT *,
    CASE
-- Scope to only 13.x devices
      WHEN  current_ver_major = 13
       AND (
-- Check major versions
           (min_ver_major >  current_ver_major)
-- Check minor versions
        OR (
            min_ver_major >= current_ver_major
        AND min_ver_minor >  current_ver_minor)
-- Check patch versions
        OR (
            min_ver_major >= current_ver_major
        AND min_ver_minor >= current_ver_minor
        AND min_ver_patch >  current_ver_patch)
    )
      THEN 'FAIL'
-- Passing Condition: Pass all 12.x versions or < 13.2.1 versions
      WHEN current_ver_major < 13
        OR (
           min_ver_major <= current_ver_major
       AND min_ver_minor <= current_ver_minor
       AND min_ver_patch <=  current_ver_patch
    )
      THEN 'PASS'
      ELSE 'UNKNOWN'
    END AS KOLIDE_CHECK_STATUS
  FROM version_split
)
SELECT * FROM failure_logic;

Paste the SQL into the editor. Once inserted, do a test-run against a few devices and add an example to the sidebar. This will be useful for the last step when we fill out the Privacy Center information.

Once you’ve tested the query and added an example failure to the sidebar, you are ready to proceed to the next tab named Check Details.

Step 3: Write Check Details

The Check Details section lets another admins know what problem this Check detects on Devices. It also allows us to define an issue title that will be display to our end-users on the sign in page.

Here is the info I supplied, if you simply want to copy it over into the form.

  • Check Name: macOS CVE-2023-23514
  • Issue Title: macOS Urgent Patch Required
  • Check Description: This Check verifies the Mac is patched against high severity vulnerability CVE-2023-23514 which impacts macOS Ventura systems.

Once entered in, your screen should look like the screenshot below:

From here, let’s move on to the writing the text our end-users will see when they attempt to remediate the problem. This is done in the Notification Text step.

Step 4: Write End-User Remediation Instructions

This critical step ensures end-users have all the information they need to solve this problem on their own.

On this page their are two important fields to fill out, one being the rationale which explains to users why this important to do. Here is the markdown I wrote:

  Your macOS version needs to be urgently updated to address a serious
  vulnerability that may allow an unauthorized third-party to execute code on
  your system without permission. For more information see
  [Apple's Support Article](https://support.apple.com/en-us/HT213633)

The second are the fix instructions the end-user should follow to fix the issue. In our case, since this vulnerability only impacts macOS 13, we want our instructions to detail how to go through that process using the updated System Settings app.

1. Click the Apple icon in the top left corner of your screen and then select "System Settings" from the drop-down menu.

1. In the left menu pane of the System Settings window, select the menu item labeled "General".

1. Once in the "General" menu, select the submenu labeled "Software Update".

1. Clicking the "Update Now" button will install all missing updates, potentially including major version updates.

1. To install only the missing security update(s), click the "More info" button. This will give you details about each update and you can select specific updates to install. Your device is failing for the following security updates:

1. With the missing update(s) selected, click the "Install" button. If you do not see those updates available, you can use the keyboard shortcut: 'Command + R' to refresh the "Software Update" settings panel. This will force your device to search for additional updates.

1. Clicking the "Update Now" button will install *all* missing updates, potentially including major version updates.

1. To install *only* the missing security update(s), click the "More info" button. This will give you details about the available patches. From this list look for the update that says `macOS Ventura 13.1.2` (or higher).

1. With the missing update(s) selected, click the "Install" button.

**Please Note**: If you do not see those updates available, you can use the keyboard shortcut: `Command + R` to refresh the "Software Update" settings panel. This will force your device
to search for additional updates.

With both of these fields filled out, the tab should look something like the screenshot below.

A screenshot of the notification text dashboard when creating a custom check.

If that’s looking good, then let’s quickly deal with the Privacy Center tab. This Check does not have any impact on Privacy, so we can simply select the example we generated in the Osquery SQL tab and type in a short-message letting end-users know there isn’t any personal data collected for this Check.

With this last step done, we can now publish the Check.

Step 5: Publishing, Enabling, and Blocking

To finish publishing simply click the blue button in the upper-right corner that says Review & Publish Check. You’ll see a confirmation screen like the one below:

Simply click, Publish Check to complete the process. Then in the pop-up, you can click Enable Check as shown below:

Once enabled, click the View Check Results link that appears and then the action-menu in the upper-right and finally Configure…. This will bring up the sidebar where you can set the blocking status.

As we said in the intro, this is where you can determine how aggressively you want to mitigate this vulnerability, balancing that around the productivity of end-users. For our own Kolide employees, we thought this vulnerability was serious enough to warrant an immediate block. That said, giving folks an extra day is also a reasonable choice depending on your risk tolerance. If that’s the case, simply click the checkbox where it warns you about blocking devices and decide on a date in the future when you’d like the blocking to start.

Once you have the Check setup, the blocking will look something like this:

And that’s it! The next time your users sign into any app protected by Kolide they will be greeted with the following:

Appendix: Just the Checks

If you’ve gotten the hang of the steps above and just want a concise format to work off of to create these Checks, you can use the markdown below.

Unfortunately, we don’t (yet) have a way to automatically spin up Checks from this markdown, but it can still serve as a reference as you build your own Checks.

CVE-2023-23514 (macOS 13 only)

---
name: macOS CVE-2023-23514
issue_title: macOS Urgent Patch Required
topics:
- custom-check
platforms:
- darwin
---

# SQL
WITH
reference_version AS (
  SELECT '13.2.1' AS minimum_version),
version_split AS (
  SELECT version AS current_version,
-- Split minimum_version strings
    CAST(SPLIT(minimum_version, ".", 0)AS int) AS min_ver_major,
    CAST(SPLIT(minimum_version, ".", 1)AS int) AS min_ver_minor,
    CAST(SPLIT(minimum_version, ".", 2)AS int) AS min_ver_patch,
-- Split installed_version strings
    COALESCE(major, 0) AS current_ver_major,
    COALESCE(minor, 0) AS current_ver_minor,
    COALESCE(patch, 0) AS current_ver_patch
   FROM os_version
   LEFT JOIN reference_version
),
failure_logic AS (
  SELECT *,
    CASE
-- Scope to only 13.x devices
      WHEN  current_ver_major = 13
       AND (
-- Check major versions
           (min_ver_major >  current_ver_major)
-- Check minor versions
        OR (
            min_ver_major >= current_ver_major
        AND min_ver_minor >  current_ver_minor)
-- Check patch versions
        OR (
            min_ver_major >= current_ver_major
        AND min_ver_minor >= current_ver_minor
        AND min_ver_patch >  current_ver_patch)
    )
      THEN 'FAIL'
-- Passing Condition: Pass all 12.x versions or < 13.2.1 versions
      WHEN current_ver_major < 13
        OR (
           min_ver_major <= current_ver_major
       AND min_ver_minor <= current_ver_minor
       AND min_ver_patch <=  current_ver_patch
    )
      THEN 'PASS'
      ELSE 'UNKNOWN'
    END AS KOLIDE_CHECK_STATUS
  FROM version_split
)
SELECT * FROM failure_logic;

# Description
This Check verifies the Mac is patched against high severity vulnerability CVE-2023-23514 which impacts macOS Ventura systems.

# Rationale
Your macOS version needs to be urgently updated to address a serious vulnerability that may allow an unauthorized third-party to execute code on your system without permission. For more information see [Apple's Support Article](https://support.apple.com/en-us/HT213633)

# Fix Instructions
1. Click the Apple icon in the top left corner of your screen and then select "System Settings" from the drop-down menu.

1. In the left menu pane of the System Settings window, select the menu item labeled "General".

1. Once in the "General" menu, select the submenu labeled "Software Update".

1. Clicking the "Update Now" button will install all missing updates, potentially including major version updates.

1. To install only the missing security update(s), click the "More info" button. This will give you details about each update and you can select specific updates to install. Your device is failing for the following security updates:

1. With the missing update(s) selected, click the "Install" button. If you do not see those updates available, you can use the keyboard shortcut: 'Command + R' to refresh the "Software Update" settings panel. This will force your device to search for additional updates.

1. Clicking the "Update Now" button will install *all* missing updates, potentially including major version updates.

1. To install *only* the missing security update(s), click the "More info" button. This will give you details about the available patches. From this list look for the update that says `macOS Ventura 13.1.2` (or higher).

1. With the missing update(s) selected, click the "Install" button.

**Please Note**: If you do not see those updates available, you can use the keyboard shortcut: `Command + R` to refresh the "Software Update" settings panel. This will force your device
to search for additional updates.

# Privacy Info
No personal or private information is collected for this Check.

CVE-2023-23529 (macOS 11 & 12)

---
name: Safari Vulnerability (CVE-2023-23529)
issue_title: Safari Urgent Patch Required
topics:
- custom-check
platforms:
- darwin
---

# SQL
WITH
reference_version AS (
  SELECT '13.2.1' AS minimum_version
),
version_split AS (
  SELECT version AS current_version,
-- Split minimum_version strings
    CAST(SPLIT(minimum_version, ".", 0)AS int) AS min_ver_major,
    CAST(SPLIT(minimum_version, ".", 1)AS int) AS min_ver_minor,
    CAST(SPLIT(minimum_version, ".", 2)AS int) AS min_ver_patch,
-- Split installed_version strings
    COALESCE(major, 0) AS current_ver_major,
    COALESCE(minor, 0) AS current_ver_minor,
    COALESCE(patch, 0) AS current_ver_patch
   FROM os_version
   LEFT JOIN reference_version
),
failure_logic AS (
  SELECT *,
    CASE
-- Scope to only 13.x devices
      WHEN  current_ver_major = 13
       AND (
-- Check major versions
           (min_ver_major >  current_ver_major)
-- Check minor versions
        OR (
            min_ver_major >= current_ver_major
        AND min_ver_minor >  current_ver_minor)
-- Check patch versions
        OR (
            min_ver_major >= current_ver_major
        AND min_ver_minor >= current_ver_minor
        AND min_ver_patch >  current_ver_patch)
    )
      THEN 'FAIL'
-- Passing Condition: Pass all 12.x versions or < 13.2.1 versions
      WHEN current_ver_major < 13
        OR (
           min_ver_major <= current_ver_major
       AND min_ver_minor <= current_ver_minor
       AND min_ver_patch <=  current_ver_patch
    )
      THEN 'PASS'
      ELSE 'UNKNOWN'
    END AS KOLIDE_CHECK_STATUS
  FROM version_split
)
SELECT * FROM failure_logic;

# Description
CVE-2023-23529 was recently patched and disclosed by Apple. This vulnerability affects macOS 11 _(Big Sur)_ and macOS 12 _(Monterey)_ devices, running the Safari web browser. The vulnerability is [described by Apple](https://support.apple.com/en-us/HT213638) as:

"Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited."

# Rationale
Devices running a vulnerable version of the Safari web browser are at risk of maliciously crafted web content leading to arbitrary code execution. Due to the severity of this risk, users should update Safari as soon as possible.

Safari versions prior to `16.3.1` are vulnerable.

You are currently running version: `{{issue.current_version'}}`

# Fix Instructions
To update Safari, follow the steps below:

1. Open System Preferences by clicking the Apple icon at the top-left of your screen, and clicking the item in the drop-down labeled **System Preferences**
1. In System Preferences, click the preference pane item labeled **Software Update** _(gear icon)_.
1. The Software Update preference pane should automatically begin checking for available updates.
1. When the Safari update is displayed, click the button labeled **Update Now** or **Install Now**
1. You may be presented with a list of available updates, ensure the checkbox next to the Safari update is checked and click the **Install Now** button.

_Note: If you currently have any other failing Checks which pertain to missing macOS updates, they may also be resolved by following these fix instructions_

# Privacy Info
This Check returns information only about the current version of your Safari web browser, no private information is included.

If you’re not a Kolide customer but you want to learn more about how our device trust solution works, watch our on-demand demo!

Share this story:

More articles you
might enjoy:

Deep Dives
Healthcare Security Is a Nightmare: Here's Why
Kenny Najarro
Deep Dives
The Risks of End of Life Software and How to Address Them
Kenny Najarro
Deep Dives
Mac Patch Management Is an Urgent, Unsolved Problem
Elaine Atwell and Nick Moore
Watch a Demo
Watch a Demo