CocoaPods Flaw Exposes iOS & macOS Apps To Supply Chain Attacks


Multiple vulnerabilities in the CocoaPods dependency manager have been identified, posing a significant risk of supply chain attacks.

The flaw enables any malicious actor to take control of thousands of unclaimed pods and inject malicious code into numerous well-known Mac and iOS apps.

An attack on the mobile app ecosystem may infect almost all Apple devices, putting thousands of organizations at risk of severe financial and reputational harm. 

With the help of CocoaPods, you can manage external libraries in an application-level format for Objective-C, Swift, and other languages that use the Objective-C runtime, like RubyMotion.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Vulnerabilities In The CocoaPods Ecosystem

With a CVSS score of 9.3, a critical severity bug identified CVE-2024-38368 allows an attacker to exploit the Claim the Pods process and take over a package.

“The attacker would be able to manipulate the source code or insert malicious content into the newly-claimed Pod.

According to E.V.A Information Security researchers, this pod would then go on to infect many downstream dependencies and potentially find its way into a large percentage of Apple devices currently in use”.

By investigating the source code of the ‘Trunk’ server, researchers discovered that all orphan pods were assigned to a default CocoaPods owner, whose email address was [email protected]. 

Trunk server’s App controller including “temporary” /claims routes

Numerous unclaimed Pods remain in widespread usage. Orphaned Pods are utilized as dependencies by numerous other CocoaPods packages. 

In total, researchers discovered 685 Pods with an explicit dependency on an orphaned Pod; in proprietary codebases, there may be hundreds or even thousands more. At some point, all of these were vulnerable to supply chain attacks. 

With a CVSS score of 10.0, the second significant flaw is tracked as CVE-2024-38366.

The server may be entirely shut down, all pod owners’ session tokens may be removed, client traffic may be compromised, or an unauthorized threat actor may have accessed it. 

The vulnerability allows for executing arbitrary code on the Trunk server, which may be used to modify or replace the packages. This is accomplished by taking advantage of an improper email verification process.

Finally, with a CVSS score of 8.2, this significant session verification-hijacking issue was tracked as CVE-2024-38367. Because of the vulnerability, an attacker can send the request using the spoofed XFH header. 

The URL containing the fake domain will be included in the email that the CocoaPods “Trunk” server generates.

Email including a URL with the spoofed domain

“After receiving the session validation token, it’s possible to access the new link to validate the session and take over the account”, reads the report.

Spoofing an HTTP header and utilizing improperly configured email security tools can ‘upgrade’ this into a zero-click account takeover attack.

“We have found that almost every pod owner is registered with their organizational email on the Trunk server, which makes them vulnerable to our zero-click takeover vulnerability,” the researchers said.

Takeaways

As of October 2023, CocoaPods has patched all three of the bugs. In reaction to the disclosures, every user session is reset at that moment.

Still, enterprises need to be aware of this possible point of attack and continue to learn about the many package and dependency management techniques that developers use.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files



Source link