Home Cyber Crime Vulnerability in Homebrew macOS package manager could allow arbitrary code execution

Vulnerability in Homebrew macOS package manager could allow arbitrary code execution


Flaw meant malicious code injected into Cask repo was merged robotically

Vulnerability in Homebrew macOS package manager could allow arbitary code execution

A vulnerability in Homebrew, the enormously fashionable open source package deal supervisor for macOS and Linux, enabled attackers to execute malicious Ruby code on machines working the appliance.

Safety researcher ‘RyotaK’ discovered the flaw throughout a vulnerability evaluation sanctioned by the mission maintainers after probing the CI script that Homebrew runs utilizing GitHub Actions.

The Japanese researcher discovered that “within the  repository, it was potential to merge the malicious pull request by complicated the library that’s used within the automated pull request evaluate script developed by the Homebrew mission”, in response to a blog post printed on April 21.

Spoofing the parser

In a security alert, Homebrew maintainer Markus Reiter stated: “This is because of a flaw within the dependency of the  GitHub Motion, which is used to parse a pull request’s for inspection.

“Because of this flaw, the parser may be spoofed into utterly ignoring the offending strains, leading to efficiently approving a malicious pull request.”

The difficulty arose, he continued, as a result of: “Each time an affected cask faucet obtained a pull request to vary solely the model of a cask, the  GitHub Motion would robotically evaluate and approve the pull request. The approval would then set off the GitHub Motion which might merge the accepted pull request.”

Securing the repo

In gentle of the findings, which have been reported to Homebrew’s HackerOne program, Reiter stated the susceptible and  GitHub Actions have been disabled and faraway from all repositories.

Furthermore, bots can now not decide to  repositories, with pull requests now requiring a guide evaluate and approval by a maintainer.

“We’re bettering documentation to assist onboard new homebrew/cask maintainers and coaching present homebrew/core maintainers to assist with homebrew/cask,” added Reiter.

RyotaK compromised a single cask “with a innocent change at some stage in the demonstration pull request till its reversal”, he continued. “No motion is required by customers attributable to this incident.”

The gravity of the bug prompted RyotaK to remark: “I strongly really feel {that a} safety audit towards the centralized ecosystem is required. I wish to carry out safety audits towards PyPI/npm registry… and so forth, however as they don’t permit the vulnerability evaluation explicitly, I can’t do that.”

The flaw was reported on April 17, and was totally fastened two days in a while April 19.

Homebrew, which simplifies the set up of software program on macOS and Linux, is at the moment ranked 63 within the Gitstar breakdown of organizations by GitHub star score.


YOU MIGHT ALSO LIKE Codecov users warned after backdoor discovered in DevOps tool


Source link