A significant security vulnerability has been unearthed in CocoaPods, a popular dependency manager used for Swift and Objective-C Cocoa projects. This discovery, made by E.V.A Information Security researchers Reef Spektor and Eran Vaknin, highlights severe risks associated with software supply chain attacks that could compromise numerous iOS and macOS applications.
The vulnerabilities, now patched by CocoaPods as of October 2023, have the potential to allow malicious actors to exploit unclaimed pods, insert malicious code, and compromise the security of a vast number of applications. According to the researchers, these flaws could permit an attacker to take control of thousands of unclaimed pods, endangering downstream customers with malicious modifications to their software.
Unveiling the Vulnerabilities
The first vulnerability, identified as CVE-2024-38368 with a CVSS score of 9.3, involves the “Claim Your Pods” process. This flaw enables an attacker to claim ownership of a package if all previous maintainers have been removed. By exploiting this process, attackers can alter the source code, injecting harmful code into the pod. This issue traces back to 2014, when a migration to the Trunk server left many packages with unknown or unclaimed owners, making them vulnerable to takeover through a public API.
The second critical vulnerability, CVE-2024-38366, holds a CVSS score of 10.0. It exploits an insecure email verification workflow, allowing attackers to execute arbitrary code on the Trunk server. This vulnerability could enable attackers to manipulate or replace packages on the server, escalating the risk of compromised applications.
A third vulnerability, CVE-2024-38367 with a CVSS score of 8.2, pertains to the email address verification component. This flaw could deceive recipients into clicking on a seemingly benign verification link that actually redirects them to an attacker-controlled domain, granting access to developer session tokens. This attack vector is exacerbated by the potential for a zero-click account takeover by spoofing HTTP headers, such as the X-Forwarded-Host field, and exploiting misconfigured email security tools.
Exploiting the Vulnerabilities
The researchers have highlighted a critical aspect: nearly all pod owners are registered with their organizational email addresses on the Trunk server, making them particularly vulnerable to zero-click takeover attacks. This flaw is especially alarming as it could allow attackers to gain control without any interaction from the user, simply by manipulating HTTP headers and exploiting insecure email configurations.
Historical Context and Previous Incidents
This isn’t the first time CocoaPods has been in the spotlight for security issues. In March 2023, Checkmarx revealed another critical vulnerability involving an abandoned sub-domain (“cdn2.cocoapods[.]org”). This sub-domain could have been hijacked by adversaries via GitHub Pages to host malicious payloads, further exposing the dependency manager to potential attacks.
Immediate Response and Mitigation
In response to these disclosures, CocoaPods has taken prompt action by patching the vulnerabilities and resetting all user sessions as of October 2023. This measure aims to mitigate the risk posed by these flaws. Users and developers are advised to update their CocoaPods installation to the latest version to protect against these vulnerabilities.
Call to Action for Developers
Developers using CocoaPods should take the following steps to secure their applications:
Update CocoaPods: Ensure that all installations are updated to the latest version to incorporate the security patches.
Review Dependencies: Audit and verify the integrity of all dependencies used in your projects. Look out for any suspicious activity or changes in your pods.
Enhance Security Practices: Implement stronger security measures, such as enabling multi-factor authentication for accounts associated with CocoaPods and using secure email practices.
Stay Informed: Keep abreast of the latest security advisories and updates from CocoaPods and other related security bodies to respond quickly to emerging threats.
Conclusion
The discovery of these critical vulnerabilities in CocoaPods underscores the importance of robust security practices in managing software dependencies. As the ecosystem continues to evolve, proactive measures and vigilant monitoring are essential to safeguarding against potential threats. CocoaPods’ swift response to patch these issues is commendable, but the onus is also on developers to maintain security vigilance and ensure the integrity of their applications.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : New OpenSSH Vulnerability: Critical Risk of Remote Code Execution on Linux Systems
Pingback: 'Indirector': Vulnerability Exposing Sensitive Data in Intel CPU