CocoaPods vulnerabilities highlight risks in dependency managers

Dependency Managers: CocoaPods 

CocoaPods is a widely used dependency manager for Swift and Objective-C projects, simplifying how developers integrate third-party libraries into an application. The project is funded via sponsorships but maintained by volunteers and community contributions.

As you might suspect, compromising the way in which applications download upstream packages would be very bad. In this case, E.V.A Information Security researchers discovered three critical vulnerabilities that allow them to do precisely that. 

These vulnerabilities can lead to compromised upstream packages, impacting all downstream applications that depend on them—creating an opportunity for malicious code to be injected into countless applications. This is why folks like the Open Source Security Foundation (OpenSSF) are working to establish principles for package repository security.

Scenario:

• A developer creates an iOS application using CocoaPods to leverage open-source packages.

• One of the Pods used by their application is taken over due to a vulnerability in CocoaPods; the malicious actor injects malware into the Pod.

• The developer packages their application and releases it to the public.

• The developer and users of the application are now downloading and potentially executing malware on their system.

The Three Major Vulnerabilities Discovered

Unauthorized Ownership over Orphaned Pods (CVE-2024-38368)

In May 2014, CocoaPods performed a server migration resetting ownership for all published Pods; roughly ten years later, almost 2,000 unclaimed Pods remain. Many of these Pods are still actively used by applications. The vulnerability reveals that before October 2023, anyone could have claimed these Pods without required verification.

Remote Code Execution on the CocoaPods 'Trunk' Server (CVE-2024-38366)

In February 2014, the CocoaPods ‘Trunk’ server’s email validation process was updated to leverage a third-party Ruby gem, RFC-822. By abusing known vulnerabilities in the RFC-822 package, researchers obtained remote code execution on the CocoaPods server. With this access, a malicious actor can dump all pod owners’ session tokens, poison the client’s traffic, or even shut down the server completely.

Zero-Click Account Takeover by Defeating Email Security Boundaries (CVE-2024-38367)

The CocoaPods' Trunk server session creation process was vulnerable to spoofing attacks due to improper handling of the X-Forwarded-Host (XFH) HTTP header and only requiring an email address. Attackers could inject a spoofed XFH header, causing the server to generate a session verification link pointing to a malicious domain. This allowed attackers to bypass email security measures and take over accounts without user interaction, posing significant risks to the integrity of the CocoaPods ecosystem.

Interestingly, to make this a ‘zero-click’ attack, the researchers abused how email security solutions access links found within emails. Once the email security solution clicked the link, the session was validated, and the researcher then had a session on this target’s account.

Implications for Developers and Users

The implications of these vulnerabilities are far-reaching. For developers, it means the potential compromise of their applications, leading to data breaches, unauthorized access, and other security incidents. Users of these applications are at risk of having their data exposed or their devices compromised. Such vulnerabilities significantly undermine the trust placed in the security and integrity of applications.

These specific vulnerabilities were remediated as of October 2023, but we will likely never know if researchers first discovered this or if malicious actors have abused them prior. Equally as important, dependency managers like CocoaPods need support to better their security posture.