Endor Labs warns of critical vulnerabilities in CocoaPods
Endor Labs, a research engineering firm, has recently highlighted significant security vulnerabilities in CocoaPods, a widely used dependency manager for Swift and Objective-C applications. These vulnerabilities present potential risks for a gamut of popular apps, such as Instagram, Slack, AirBnB, Tinder, and Uber.
Darren Meyer, a staff research engineer at Endor Labs, elaborated on these issues in a blog post. He detailed three critical vulnerabilities, identified as CVE-2024-38368, CVE-2024-38367, and CVE-2024-38366, which all pose substantial threats to software supply chains. The first of these, CVE-2024-38368, arises from a flaw in the CocoaPods server design. "The CocoaPods server allows any CocoaPods user to claim a Pod that doesn't have an identified owner, without any verification," Meyer wrote. This loophole enables adversaries to register a CocoaPods account and falsely claim ownership of a Pod, thus allowing them to distribute malware under the guise of a trusted maintainer.
The implications of such a vulnerability are serious. Meyer noted, "If this vulnerability was ever exploited (which we don't know yet), that could have a big impact on an organization's supply chain for Swift and Objective-C applications." He added that determining whether an organisation has been affected would necessitate examining the ownership history of its Pods, a laborious task due to the lack of easily accessible ownership history data from CocoaPods.
Another significant vulnerability, CVE-2024-38367, stems from the CocoaPods server's unwarranted trust in a request header. This oversight can allow attackers to bypass the email validation process intended to prevent account takeovers. Once control is gained over an account, adversaries can replace a Pod with a malicious version. "Defenders should check to see if owner data has recently changed, and examine current versions to determine if there are potentially malicious instructions," Meyer advised. The time frame for such checks could extend up to ten years, given the longevity of the issue.
The third identified vulnerability, CVE-2024-38366, involves a flaw in a Ruby gem called rfc-822, used by CocoaPods to validate email addresses. Attackers can exploit this flaw to inject code into the CocoaPods server. Meyer warned, "If you, as a defender, are using the rfc-822 Ruby gem, you will want to know about it because you might need to mitigate this Remote Code Execution vulnerability in your software." He also emphasised the importance of examining Software Bill of Materials (SBOMs) to ascertain if third-party vendors are using this vulnerable library.
Meyer underscored the broader implications of these vulnerabilities, stating, "When there are serious software supply chain security (SSCS) issues like this, it's easy to point a finger at the volunteers who build and maintain these critical package repositories. But SSCS issues affect everyone, and defence is therefore everyone's job." Highlighting the need for a collective approach, he stressed the importance of supporting projects like the CocoaPods repository to ensure they have adequate resources to maintain security.
To mitigate the risks, Meyer recommended several proactive measures. Organisations should maintain an accurate software inventory, including open-source software (OSS) dependencies, and respond swiftly to reported risks. Continuous monitoring beyond just CVEs, using guides like the OWASP Top 10 OSS Risks, and implementing a comprehensive package monitoring system were also advised. Additionally, businesses are encouraged to distribute and utilise SBOM and Vulnerability Exploitability eXchange (VEX) documents to manage unscanned parts of their supply chain and to stay informed through responsible security research and disclosure efforts.
These vulnerabilities highlight the ongoing challenges of maintaining security within software supply chains. The insights provided by Endor Labs aim to prompt organisations to take immediate and sustained action to safeguard their systems and applications.