01 July 2024NewsroomSupply chain / software security

Supply chain attacks

All three security flaws have been exposed. Cocoa pods Dependency Managers for Soft and Objective-C Cocoa projects that can be exploited for software supply chain attacks, which can pose serious risks to users.

Eva Information Security researchers Ref Spector and Erin Vaknen, the vulnerabilities “allow any malicious actor to claim ownership of thousands of unclaimed pods and inject malicious code into many popular iOS and macOS applications.” ” said In a report published today.

The Israeli application security firm said all three issues have since been addressed. Patch By October 2023 via CocoaPods. It also resets all user sessions in response to disclosures.

Cyber ​​security

is one of the weaknesses. CVE-2024-38368 (CVSS score: 9.3), which for an attacker “Claim your beans.” process and control a package, effectively allowing them to tamper with the source code and introduce harmful changes.

The roots of the problem go back to 2014, when migration Trunk server Thousands of packages are unknown (or Unclaimed) owners, allow an attacker to use the public API to claim pods and an email address available in the CocoaPods source code (“[email protected]”) to take control.

The second bug is even more subtle (CVE-2024-38366CVSS Score: 10.0) and exploits an insecure email authentication workflow to run arbitrary code on the trunk server, which can then be used to manipulate or replace packages.

Another problem with the email address verification component also identified in the service (CVE-2024-38367CVSS Score: 8.2) that can trick a recipient into clicking on a seemingly benign authentication link, when, in reality, it reroutes a request to an attacker-controlled domain to gain access to the developer’s session tokens. does.

Making matters worse, this can be upgraded to a zero-click account takeover attack by forging HTTP headers – that is, by modifying X forwarded host Headerfield – and exploiting misconfigured email security tools.

Cyber ​​security

“We found that almost every pod owner is registered on the trunk server with their organizational email, making them vulnerable to our zero-click takeover,” the researchers said.

This is not the first time cocoa pods have come under the scanner. In March 2023, checkmarks revealed that an abandoned subdomain associated with the dependency manager (“cdn2.cocoapods”).[.]org”) may have been hijacked by an adversary via GitHub Pages intended to host their payloads.

Did you find this article interesting? Follow us. Twitter And LinkedIn To read more exclusive content we post.





Source link