A trio of safety flaws has been uncovered within the CocoaPods dependency supervisor for Swift and Goal-C Cocoa initiatives that could possibly be exploited to stage software program provide chain assaults, placing downstream clients at extreme dangers.
The vulnerabilities enable “any malicious actor to assert possession over hundreds of unclaimed pods and insert malicious code into lots of the hottest iOS and macOS purposes,” E.V.A Info Safety researchers Reef Spektor and Eran Vaknin mentioned in a report revealed as we speak.
The Israeli software safety agency mentioned the three points have since been patched by CocoaPods as of October 2023. It additionally resets all consumer classes on the time in response to the disclosures.
One of many vulnerabilities is CVE-2024-38368 (CVSS rating: 9.3), which makes it potential for an attacker to abuse the “Declare Your Pods” course of and take management of a package deal, successfully permitting them to tamper with the supply code and introduce malicious adjustments. Nonetheless, this required that every one prior maintainers have been faraway from the mission.
The roots of the issue return to 2014, when a migration to the Trunk server left hundreds of packages with unknown (or unclaimed) homeowners, allowing an attacker to make use of a public API for claiming pods and an electronic mail handle that was obtainable within the CocoaPods supply code (“unclaimed-pods@cocoapods.org”) to take over management.
The second bug is much more crucial (CVE-2024-38366, CVSS rating: 10.0) and takes benefit of an insecure electronic mail verification workflow to run arbitrary code on the Trunk server, which may then be used to govern or exchange the packages.
Additionally recognized within the service is a second downside within the electronic mail handle verification element (CVE-2024-38367, CVSS rating: 8.2) that might entice a recipient into clicking on a seemingly-benign verification hyperlink, when, in actuality, it reroutes the request to an attacker-controlled area in an effort to achieve entry to a developer’s session tokens.
Making issues worse, this may be upgraded right into a zero-click account takeover assault by spoofing an HTTP header – i.e., modifying the X-Forwarded-Host header discipline – and profiting from misconfigured electronic mail safety instruments.
“We now have discovered that just about each pod proprietor is registered with their organizational electronic mail on the Trunk server, which makes them susceptible to our zero-click takeover vulnerability,” the researchers mentioned.
This isn’t the primary time CocoaPods has come below the scanner. In March 2023, Checkmarx revealed that an deserted sub-domain related to the dependency supervisor (“cdn2.cocoapods[.]org”) may have been hijacked by an adversary by way of GitHub Pages with an intention to host their payloads.
