Going Cuckoo For CocoaPods, Among Other Horrifying Issues
This week has not been good for the sanity of system admins and knowledgeable users both, as there is hardly a system nor network that remains untouched by a new insecurity issues. The Intel Raptor Lake or Alder Lake system you are running is vulnerable to an all new branch prediction attack which is called Indirector. The Indirect Branch Predictor used in those architectures turns out to be designed with a predictable structure that allows for high precision manipulation. While there is a fix available, it comes with the same performance hit associated with previous speculative execution patches and you can expect to see significant performance hits after applying it. In some cases Linux systems are seeing their performance reduced by 50%.
There is more bad news for those that use Linux instead of Windows in the form of regreSSHion. As the name implies it makes use of one of your most trusted remote access tools to give attackers root privileges on glibc-based Linux systems. Thanks to a race condition in sshd if a client does not authenticate within the defined LoginGraceTime variable it is possible to trigger the system to run programs as root, without the hassle of actually authenticating. Thankfully it is rather difficult to leverage, and Bleeping Computer offers ways to protect yourself against it, which you should definitely check out.
AMD user, or those with newer Intel systems that run Windows shouldn’t feel to smug either! There is a brand new 0-day attacking Cisco Nexus switches, and even if you don’t use one inside your network there is a fair chance your internet traffic may pass through one. It is a mere 6.0 and so has been overshadowed by the other flaws but leaving a network open to command injections is a bad thing. The flaw was discovered as part of a thorough investigation of attacks used by the Velvet Ant group, and there may be more undiscovered flaws out there. There is a patch, and it should definitely be high on your list of things to do!
That just leaves the Apple users, and their present is particularly hideous. These flaws have been patched but the damage has already been done. It arises from CocoaPods, an open source dependency manager, which is something you may have never really thought about when firing up apps on your electronic fruit, but after this you might want to. CocoaPods is used to manage over three million applications, and it underwent a migration back in 2014 in a way guaranteed to lead to horrendous insecurity.
When Apple migrated CocoaPods to a new GitHub server, the ownership of all of those dependency repositories was reset and Apple asked for developers to take authorship of them on the new platform. There were abandoned apps left to claim, developers who would have, but never got the message, and Pods that likely more than a few enterprising criminals that claimed to be the author when the migration occurred. Once you been confirm yourself as the author via a simple CURL request you can fill that Pod with whatever malware you like, and the app users will be none the wiser.
To add insult to injury there was an additional 10 out of 10 attack associated with the way authors were authenticated. A trunk server used to send verification links to new devices was left vulnerable for quite some time. The server would accept emails with spoofed XFH headers and send them onto the user. With a little bit of modification the attackers could modify it in such a way as to trick the email scanning services we all depend upon to provide the recipients session tokens. From there they could take over the Pod completely and spread malware to their rotten heart’s content.
If you own an Apple, you would have been vulnerable until these were patched and there was no way to know. The CocoaPods vulnerability was never disclosed until it was patched this year, a decade after it started.
Source link
