Analysis Summary

Researchers have uncovered three critical security flaws in the CocoaPods dependency manager widely used in Swift and Objective-C Cocoa projects. These vulnerabilities posed severe risks enabling potential software supply chain attacks that could compromise downstream customers.

The flaws allowed malicious actors to claim ownership of unclaimed pods and inject malicious code into popular iOS and macOS applications. CocoaPods has patched these issues as of October 2023 and reset all user sessions in response to the disclosures. Researchers said that one of the vulnerabilities, CVE-2024-38368, with a CVSS score of 9.3 exploited the "Claim Your Pods" process.

Attackers could take control of packages if all previous maintainers were removed allowing them to tamper with the source code. This issue stemmed from a 2014 migration to the Trunk server which left many packages without claimed owners. Attackers could utilize a public API and an email address available in the CocoaPods source code to claim these pods.

The second, more critical vulnerability, CVE-2024-38366, with a CVSS score of 10.0 exploited an insecure email verification workflow. This allowed arbitrary code execution on the Trunk server, enabling manipulation or replacement of packages. Additionally, another vulnerability, CVE-2024-38367, with a CVSS score of 8.2 exploited the email verification component to reroute verification links to attacker-controlled domains leading to session token theft and potential zero-click account takeover through HTTP header spoofing.

This isn't the first security issue CocoaPods has faced. In March 2023, researchers identified a potential sub-domain hijacking risk via GitHub Pages, which could have been used to host malicious payloads. The recent vulnerabilities emphasize the ongoing need for vigilance and robust security measures in managing open-source dependencies to protect against software supply chain threats.

Impact

• Security Bypass
• Code Execution
• Gain Access

Indicators of Compromise

CVE

• CVE-2024-38368
• CVE-2024-38366
• CVE-2024-38367

Affected Vendors

Remediation

• Refer to CocoaPods GIT Repository for patch, upgrade, or suggested workaround information.
• Organizations must test their assets for the vulnerability mentioned above and apply the available security patch or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.