Critical Flaws in CocoaPods Expose iOS and macOS Apps to Supply Chain Attacks>
Crypto CIE –
A set of three security vulnerabilities has been discovered in CocoaPods, a dependency manager for Swift and Objective-C Cocoa projects
These flaws could be exploited by malicious actors to stage software supply chain attacks, putting downstream customers at significant risk.
**Key Points:**
– **Vulnerability 1 (CVE-2024-38368, CVSS score: 9.3):**
– Allows attackers to abuse the “Claim Your Pods” process and take control of a package.
– Enables tampering with source code and introducing malicious changes.
– Requires all prior maintainers to have been removed from the project.
– Stems from a 2014 migration to the Trunk server that left thousands of packages with unknown or unclaimed owners.
– **Vulnerability 2 (CVE-2024-38366, CVSS score: 10.0):**
– Exploits an insecure email verification workflow to run arbitrary code on the Trunk server.
– Can be used to manipulate or replace packages.
– **Vulnerability 3 (CVE-2024-38367, CVSS score: 8.2):**
– Tricks recipients into clicking on a seemingly-benign verification link that reroutes to an attacker-controlled domain.
– Allows attackers to gain access to a developer’s session tokens.
– Can be upgraded to a zero-click account takeover attack by spoofing an HTTP header (X-Forwarded-Host) and exploiting misconfigured email security tools.
– The vulnerabilities were patched by CocoaPods in October 2023, and all user sessions were reset in response to the disclosures.
– Almost every pod owner is registered with their organizational email on the Trunk server, making them vulnerable to the zero-click takeover vulnerability.
– In March 2023, an abandoned sub-domain associated with CocoaPods was found to be potentially hijackable by an adversary via GitHub Pages to host payloads.
Link: https://cryptocie.com/critical-flaws-in-cocoapods-expose-ios-and-macos-apps-to-supply-chain-attacks