CVE-2024-38368 is a vulnerability that affects the open-source supply chain of iOS and MacOS applications.
CocoaPod is a dependency manager for Swift and Objective-C, essentially it is the NPM, RubyGems or PyPi equivalent of Swift and Objective-C. Over 100,000 libraries are hosted in CoCoPods which are used in over 3 million IOS applications.
It allows a malicious actor to completely take over a 'Pod' or a package in specific circumstances.
This would then allow the attacker to release updates to the pod adding malware so that when tools upgrade to the latest version would be pulling malware directly into their applications.
The vulnerability allows account takeover for what are called 'unclaimed pods', also referred to as 'orphaned pods'.
This equates to about 2% of pods on the CocoaPod ecosystem or 1,886 pods at the time of discovery.
To understand the vulnerability we need to go back to 2014 when CocoaPod changed account management workflows.
In what was likely an attempt to improve security and become less reliant on GitHub CocosPod then created a new flow of identifying authors which involved creating an account directly with CocoaPod to manage the pod.
During the transition, authors had to 'claim' their pods, if an author failed to claim their pod then this was then called an Orphaned pod.
Using a simple CURL command to the publicly-available CocoaPod API the attacker could claim an orphaned pod simply by providing the target pod name.
The number of pods that are affected as discussed is around 2% and these are pods that while many are still being used, are not being actively maintained.
The vulnerability lay dormant for a decade, at any time during the last 10 years someone could have discovered this and claimed the unclaimed pods and right now, there is no way of knowing.
If the recent attack with the XZ package has taught us anything it is that malicious actors will invest years into supply-chain attacks so there could be an army of malicious accounts waiting to deploy a swarm of evil pods on the iOS world.
Supply vulnerabilities like this one are challenging because a lot of the supply chain is out of our control.
In this case, the vulnerability only really affects packages or pods that have been unclaimed meaning if you are using well-maintained packages, you have less risk to this vulnerability.
Unclaimed pods are called 'orphaned pods' and you should check to see if any of these are being used by your applications.
Lock file synchronized with all CocoaPods developers to ensure everyone is on the same version of the packages.
If you are using a Pod which is developed internally and only hosted in CocoaPods for mass distribution, developers should perform CRC validation against the one downloaded from the CocoaPods trunk server to ensure it's the same as the one developed internally.
Review CocoaPods dependencies and verify you are not using an orphaned Pod.
Perform periodic security code scans to detect secrets and malicious code on all external libraries, especially CocoaPods.
This Cyber News was published on securityboulevard.com. Publication date: Wed, 03 Jul 2024 20:43:07 +0000