A trio of safety flaws has been uncovered within the CocoaPods dependency supervisor for Swift and Goal-C Cocoa tasks that might be exploited to stage software program provide chain assaults, placing downstream clients at extreme dangers.
The vulnerabilities enable “any malicious actor to assert possession over 1000’s of unclaimed pods and insert malicious code into most of the hottest iOS and macOS purposes,” E.V.A Data Safety researchers Reef Spektor and Eran Vaknin mentioned in a report printed right this moment.
The Israeli utility safety agency mentioned the three points have since been patched by CocoaPods as of October 2023. It additionally resets all consumer classes on the time in response to the disclosures.
One of many vulnerabilities is CVE-2024-38368 (CVSS rating: 9.3), which makes it attainable for an attacker to abuse the “Declare Your Pods” course of and take management of a bundle, successfully permitting them to tamper with the supply code and introduce malicious modifications. Nonetheless, this required that each one prior maintainers have been faraway from the challenge.
The roots of the issue return to 2014, when a migration to the Trunk server left 1000’s of packages with unknown (or unclaimed) house owners, allowing an attacker to make use of a public API for claiming pods and an e mail tackle that was out there within the CocoaPods supply code (“unclaimed-pods@cocoapods.org”) to take over management.
The second bug is much more essential (CVE-2024-38366, CVSS rating: 10.0) and takes benefit of an insecure e mail verification workflow to run arbitrary code on the Trunk server, which might then be used to govern or substitute the packages.
Additionally recognized within the service is a second downside within the e mail tackle verification part (CVE-2024-38367, CVSS rating: 8.2) that would entice a recipient into clicking on a seemingly-benign verification hyperlink, when, in actuality, it reroutes the request to an attacker-controlled area to be able to achieve entry to a developer’s session tokens.
Making issues worse, this may be upgraded right into a zero-click account takeover assault by spoofing an HTTP header – i.e., modifying the X-Forwarded-Host header subject – and making the most of misconfigured e mail safety instruments.
“We’ve got discovered that nearly each pod proprietor is registered with their organizational e mail on the Trunk server, which makes them weak to our zero-click takeover vulnerability,” the researchers mentioned.
This isn’t the primary time CocoaPods has come underneath the scanner. In March 2023, Checkmarx revealed that an deserted sub-domain related to the dependency supervisor (“cdn2.cocoapods[.]org”) might have been hijacked by an adversary through GitHub Pages with an purpose to host their payloads.