Critical flaw in package manager Homebrew macOS allows hackers to run arbitrary code

Cybersecurity experts reported the finding of a dangerous security flaw in Homebrew, the open source package manager for macOS and Linux operating systems. According to the report, the flaw would allow threat actors to execute malicious Ruby code on devices running this application.

The flaw was found by the researcher known as “Ryotak” during a security assessment agreed with the project’s developers, which runs using GitHub Actions.

The report notes that the fault was detected in the Homebrew/homebrew-cask repository, from which it is possible to merge malicious extraction requests by confusing the library used for in the automated pull request review script, developed by the Homebrew project.

Homebrew’s primary maintainer Markus Reiter says: “This condition exists due to a failure in the git_diff dependency of the review-cask-pr GitHub action, used to analyze the difference in a pull request for inspection: “Successful exploitation of this vulnerability would allow the scanner to be falsified to completely ignore security mechanisms, resulting in successful approval of malicious extractions.”

The maintainer mentions that the problem remains because an affected barrel tap receives pull requests to switch only to a barrel version: “GitHub Action’s review-cask-pr concept automatically reviewed and approved the pull request. Approval will trigger automatic GitHub Action actions, which will merge the approved pull request.”

Reiter added that the vulnerable Actions on GitHub review-cask-pr and automerge have been disabled and removed from all repositories. On the other hand, bots’ ability to commit to homebrew/cask* repositories has been limited, and pull requests now require manual review and express approval by a project maintainer.

The researcher concluded by mentioning: “I firmly believe that a strict security audit against the centralized ecosystem is required. I want to perform security audits against PyPI/npm registration and others, but at the moment this is not allowed.” To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.