Multiple vulnerabilities in Homebrew could have allowed attackers to load executable code and modify binary builds, potentially controlling CI/CD workflow execution and exfiltrating secrets, a Trail of Bits security audit has discovered.
Sponsored by the Open Tech Fund, the audit was performed in August 2023 and uncovered a total of 25 security defects in the popular package manager for macOS and Linux.
None of the flaws was critical and Homebrew already resolved 16 of them, while still working on three other issues. The remaining six security defects were acknowledged by Homebrew.
The identified bugs (14 medium-severity, two low-severity, 7 informational, and two undetermined) included path traversals, sandbox escapes, lack of checks, permissive rules, weak cryptography, privilege escalation, use of legacy code, and more.
The audit’s scope included the Homebrew/brew repository, along with Homebrew/actions (custom GitHub Actions used in Homebrew’s CI/CD), Homebrew/formulae.brew.sh (the codebase for Homebrew’s JSON index of installable packages), and Homebrew/homebrew-test-bot (Homebrew’s core CI/CD orchestration and lifecycle management routines).
“Homebrew’s large API and CLI surface and informal local behavioral contract offer a large variety of avenues for unsandboxed, local code execution to an opportunistic attacker, [which] do not necessarily violate Homebrew’s core security assumptions,” Trail of Bits notes.
In a detailed report on the findings, Trail of Bits notes that Homebrew’s security model lacks explicit documentation and that packages can exploit multiple avenues to escalate their privileges.
The audit also identified Apple sandbox-exec system, GitHub Actions workflows, and Gemfiles configuration issues, and an extensive trust in user input in the Homebrew codebases (leading to string injection and path traversal or the execution of functions or commands on untrusted inputs).
“Local package management tools install and execute arbitrary third-party code by design and, as such, typically have informal and loosely defined boundaries between expected and unexpected code execution. This is especially true in packaging ecosystems like Homebrew, where the “carrier” format for packages (formulae) is itself executable code (Ruby scripts, in Homebrew’s case),” Trail of Bits notes.
Related: Acronis Product Vulnerability Exploited in the Wild
Related: Progress Patches Critical Telerik Report Server Vulnerability
Related: Tor Code Audit Finds 17 Vulnerabilities
Related: NIST Getting Outside Help for National Vulnerability Database
