Vulnerability in macOS Homebrew Package Manager Could Allow Execution of Arbitrary Code


Adam Bannister April 22, 2021 at 15:59 UTC

Updated: May 18, 2021 at 15:10 UTC

A flaw meant that malicious code injected into the Cask repository was automatically merged

A vulnerability in Homebrew, the hugely popular open source package manager for macOS and Linux, allowed attackers to run malicious Ruby code on machines running the application.

Security researcher ”RyotaK‘found the flaw during a vulnerability assessment sanctioned by project managers after probing the CI script Homebrew runs using GitHub actions.

The Japanese researcher discovered that “in the repository it was possible to merge the malicious pull request by confusing the library which is used in the automated pull request review script developed by the Homebrew project,” according to a blog post published on April 21th.

Spoof the parser

In a security alert, Homebrew maintainer Markus Reiter said, “This is due to a flaw in the dependency of the GitHub action, which is used to analyze a pull request for inspection.

“Due to this flaw, the parser can be spoofed by completely ignoring the offending lines, resulting in the approval of a malicious pull request.”

The problem arose, he continued, because: “Whenever an affected keg faucet received a pull request to change only a keg version, the GitHub action would automatically review and approve. the extraction request. The approval would then trigger the GitHub action that would merge the approved pull request.

Secure the repo

In light of the results, which were reported to Homebrew’s HackerOne program, Reiter said vulnerable and GitHub actions have been disabled and removed from all repositories.

Additionally, bots can no longer engage in repositories, as pull requests now require manual review and manager approval.

“We are improving the documentation to help integrate new homebrew / cask maintainers and training existing homebrew / core maintainers to help with homebrew / cask,” added Reiter.

RyotaK compromised a single cask “with a harmless change for the duration of the demo draw request until it is reversed,” he continued. “No action is required from users due to this incident. “

The severity of the bug prompted RyotaK to comment, “I strongly believe that a security audit against the centralized ecosystem is needed. I want to perform security audits on the PyPI / npm… etc registry, but since they don’t explicitly allow vulnerability assessment, I can’t.

The flaw was reported on April 17 and was fully patched two days later on April 19.

Homebrew, which makes installing software on macOS and Linux easy, is currently ranked 63 in the Gitstar breakdown of organizations according to the GitHub star rating.

YOU MAY ALSO LIKE Codecov users warned after backdoor discovered in DevOps tool


Comments are closed.