The Cocoapods dependency manager | OpenSSH RegreSSHion
CyberInsights #146 - 100k + libraries used by 3 mn + apps in the Apple ecosystem exposed to a critical bug | An SSH bug that affects 700k linux servers
Critical Bug in the Cocoapods dependency manager
Orphaned ‘pods’ in dependency managers have been exposed for over 9 years!!
It might sound like advice given by moms to their rebellious teenagers - “Clean up after yourself. There is no way one can find anything in this mess.”
It’s sound advice for software developers too.
When you think of the number of times software vulnerabilities have been found because of someone forgetting to turn something off or not cleaning up after themselves, you feel like adding mom’s life lessons in your software development security policy.
3 critical bugs in CocoaPods, a dependency manager for Apple based software development could lead to 3 million plus iOS applications being vulnerable.
A bit of detail…
What are dependency managers?
Software developers seldom code all modules from scratch. They use pieces of code built and shared by others for specific purposes. To run the software correctly, there is a ‘dependency’ on these software.
Most times, it is not as straight forward as it appears. The developers of the dependencies update their code, fix bugs, etc. leading to multiple versions being created. The primary software developers have to be careful to import the right versions or their code won’t run correctly, among other things.
A dependency manager is a piece of software that manages all these issues and imports various software ‘libraries’ to be used. Read my post on Software Bill of Material (SBOM) for more details.
What is CocoaPods?
CocoaPods is a dependency manager for Xcode projects - essentially to build Mac and iOS apps. It works by allowing the developer to add a file with a list of dependencies and their versions. Once the developer has added that list, CocoaPods manages the rest in the background. A very convenient way of managing software libraries.
If someone were to get into the CocoaPods ecosystems, then they could insert malware in popular libraries.
I spoke about package managers and dependency managers 2 years back relating to python packages and pypi.
What happened?
Simply put, CocoaPods migrated their systems in 2014. This, for some reason, left many libraries (called pods), without an owner. There are ways and means to get in and claim ownership of these libraries and insert malware.
This is an overtly simplified explanation. Read the blog post by the security researcher for more technical details.
Take Action:
It’s quite simple to explain, really. Learn to manage your software bill of material (SBOM) properly. Ensure that the external libraries that you use are analyzed for security loopholes and backdoors.
OpenSSH bug that could potentially affect 700k linux servers
Race conditions lead to a potential RCE vulnerability
Race Conditions are rather complex beings. Race conditions occur when two or more threads or processes of a software program want to access and change the same asset. They are not the easiest to catch in testing. A race condition does not necessarily occur every time a program is run either, making it difficult to troubleshoot. A program that has a race condition bug tends to behave weird.
The OpenSSH bug is a race condition bug that can lead to an RCE. It’s called regreSSHion, because it is a ‘regression’ bug. A regression bug is one that has been closed, but has recurred in a newer release.
The bug affects 8.5p1 and 9.7p1 on glibc-based Linux systems.
Take Action:
OpenSSH is generally a secure deployment. This is a rare bug. If you have a vulnerable system, make sure that you patch it. A securely deployed SSH is restricted to known IP addresses and machines. If that is not the case with your organization, ensure that you are restricting SSH protocol access only to known IPs.