Insufficiently protected credentials vulnerability in Apple Xcode

A recently revealed report launched by cybersecurity specialists has revealed the finding of at least one security vulnerability in Xcode, the integrated development environment (IDE) for macOS, which includes a set of development tools for different Apple operating systems, such as macOS, iOS, watchOS, and tvOS.

The report indicates that the exploitation of this vulnerability would be related to insufficient protection of Xcode access credentials, which could lead to the deployment of some malicious activities, depending on the system where the environment is running. According to the scale of the Common Vulnerability Scoring System (CVSS), this flaw received a score of 3.5/10, so it is considered a medium severity error.

Below is a brief overview of the reported flaw, as well as some data about its exploitation and availability of upgrade patches or alternative solutions for risk mitigation.

Tracked as CVE-2020-11008, this is a vulnerability of improperly protected credentials; the flaw exists because any threat actor could trick Git into sending private credentials to an attacker-controlled host. Malicious hackers could send a specially crafted URL to “git clone”, which will return the stored credentials for any host to the host that hackers decide.  

Researchers note that this vulnerability is similar to CVE-2020-5260 (a flaw of insufficient credential protection in Git). It should be noted that updating that vulnerability left the door open so that an exploit could be used and some credentials leaked, although attackers would have no control over what information would be compromised in an attack.

The vulnerability can be found in the following versions of Apple Xcode: 11.0, 11.2, 11.2.1, 11.3, and 11.4.

While CVE-2020-11008 can be exploited by an unauthenticated remote threat actor over the Internet, cybersecurity researchers found no records to check for the existence of a useful exploit to deploy this attack, greatly reducing the risk of exploitation and the flaw score in the most popular disclosure systems. Needless to say, no cases of exploitation have been detected in the wild.

Apple acknowledged the flaw and began working on a solution immediately after receiving the report. The company eventually announced the release of the necessary security patches, so vulnerable Xcode deployment managers should only install the updates, available on the company’s official platforms. Further details about the vulnerability could be disclosed when Apple believes that the risk of exploitation has been fully mitigated.