A trio of security vulnerabilities have been discovered in the CocoaPods dependency manager for Swift and Objective-C Cocoa projects that could be exploited to stage attacks on the software supply chain, exposing downstream customers to serious risk.
These vulnerabilities allow “any malicious actor to claim ownership of thousands of unclaimed pods and insert malicious code into many of the most popular iOS and macOS applications,” EVA information security researchers Reef Spektor and Eran Vaknin said in a report released today.
The Israeli app security firm said all three issues have since been patched by CocoaPods in October 2023. It is also resetting all user sessions at that time in response to the disclosures.
One of the vulnerabilities is CVE-2024-38368 (CVSS score: 9.3), which allows an attacker to abuse the “Claim Your Pods” process and take control of a package, allowing them to tamper with the source code and introduce malicious changes. However, this requires that all previous maintainers have been removed from the project.
The roots of the issue date back to 2014, when a migration to the Trunk server left thousands of packages with unknown (or unclaimed) owners, allowing an attacker to use a public API to claim pods and an email address available in the CocoaPods source code (“unclaimed-pods@cocoapods.org”) to gain control.
The second bug is even more critical (CVE-2024-38366, CVSS score: 10.0) and exploits an insecure email verification workflow to execute arbitrary code on the Trunk server, which could then be used to manipulate or replace packages.
A second issue was also identified in the service in the email address verification component (CVE-2024-38367, CVSS score: 8.2) that could trick a recipient into clicking on a seemingly innocuous verification link, when in reality it redirects the request to an attacker-controlled domain in order to gain access to a developer’s session tokens.
To make matters worse, this technique can be transformed into a zero-click account takeover attack by spoofing an HTTP header (i.e. modifying the X-Forwarded-Host header field) and leveraging misconfigured email security tools.
“We found that almost all pod owners are registered with their organizational email on the Trunk server, making them vulnerable to our zero-click takeover vulnerability,” the researchers said.
This isn’t the first time CocoaPods has been in the spotlight. In March 2023, Checkmarx revealed that an abandoned subdomain associated with the dependency manager (“cdn2.cocoapods(.)org”) may have been hijacked by an adversary via GitHub Pages to host its payloads.
News Source : thehackernews.com
Gn tech
