A trio of security flaws has been uncovered within the CocoaPods dependency supervisor for Swift and Goal-C Cocoa initiatives that might be exploited to stage software program provide chain assaults, placing downstream clients at extreme dangers.
The vulnerabilities permit “any malicious actor to say possession over hundreds of unclaimed pods and insert malicious code into lots of the hottest iOS and macOS purposes,” E.V.A Info Safety researchers Reef Spektor and Eran Vaknin stated in a report revealed as we speak.
The Israeli software security agency stated the three points have since been patched by CocoaPods as of October 2023. It additionally resets all consumer periods on the time in response to the disclosures.
One of many vulnerabilities is CVE-2024-38368 (CVSS rating: 9.3), which makes it potential for an attacker to abuse the “Declare Your Pods” course of and take management of a bundle, successfully permitting them to tamper with the supply code and introduce malicious modifications. Nevertheless, this required that each one prior maintainers have been faraway from the mission.
The roots of the issue return to 2014, when a migration to the Trunk server left hundreds of packages with unknown (or unclaimed) house owners, allowing an attacker to make use of a public API for claiming pods and an e-mail deal with that was accessible within the CocoaPods supply code (“unclaimed-pods@cocoapods.org”) to take over management.
The second bug is much more important (CVE-2024-38366, CVSS rating: 10.0) and takes benefit of an insecure e-mail verification workflow to run arbitrary code on the Trunk server, which might then be used to control or substitute the packages.
Additionally recognized within the service is a second downside within the e-mail deal with verification element (CVE-2024-38367, CVSS rating: 8.2) that might entice a recipient into clicking on a seemingly-benign verification hyperlink, when, in actuality, it reroutes the request to an attacker-controlled area in an effort to achieve entry to a developer’s session tokens.
Making issues worse, this may be upgraded right into a zero-click account takeover assault by spoofing an HTTP header – i.e., modifying the X-Forwarded-Host header area – and profiting from misconfigured e-mail security instruments.
“Now we have discovered that just about each pod proprietor is registered with their organizational e-mail on the Trunk server, which makes them susceptible to our zero-click takeover vulnerability,” the researchers stated.
This isn’t the primary time CocoaPods has come underneath the scanner. In March 2023, Checkmarx revealed that an deserted sub-domain related to the dependency supervisor (“cdn2.cocoapods[.]org”) might have been hijacked by an adversary by way of GitHub Pages with an intention to host their payloads.
