Controlling Access for Users with Vulnerable Software

  • 1 minute read
Prev Next

Vulnerable software on user computers poses major threats, as demonstrated by the latest Google Chrome zero-day vulnerability CVE-2022-1096. Denying access to all or selected resources for the affected users is a common response from organizations. The process to deny user access with vulnerable software can easily be achieved with AppGate SDP’s device posture check capabilities and conditional access mechanisms.

Solution

This article provides example device claim scripts for macOS, Linux distributions, and Windows to detect installed software versions and a condition script to require minimum version to access. Although they are specific to Google Chrome, they can be used as a template to check any other software in the future.

Follow the steps below:

  1. Login to the SDP Admin UI

  2. Navigate to Scripts > Device Claims Scripts

    1. Create three device claim scripts using the files below:

      1. chrome_version_win.ps1

      2. Chrome_version_linux.sh

      3. Chrome_version_mac.sh

    2. Name the scripts as chrome_version_linux, chrome_version_mac, chrome_version_windows

  3. Navigate to System > Identity Providers and select the relevant Identity Provider

    1. Under “Configure On-demand Device Claims”, add three new Device Claims with “Run Device Script” command, select chrome_version_linux from the list and use “chrome_version” as Claim Name and “All Linux Devices”.

    2. Do the same for windows and macOS also, use the same “chrome_version” claim name on all three platforms.

    3. The result should look like the following:

    4. Navigate to Operations > Conditions and create a new condition

      1. Use a relevant name like “Safe Chrome Versions”

      2. In Access Criteria, select “script returns true” and paste the code from the linked condition.js file

      3. Under “User Actions”, add a “Display Message” user action with a informative message

        1. For example: “The Chrome version is installed on your host is vulnerable, please update Google Chrome.”

      4. No need to set any re-evaluate period as the script is tied to a device claim, which will be re-evaluated every 5 minutes.

    5. Navigate to Operations > Entitlements.

      1. Add the newly created Condition to selected / all entitlements as needed.

      2. Note that when user updates the Google Chrome to a safe version, it may take up to 5 minutes for the condition to be updated.

Related articles