Recent research has uncovered a new software supply chain attack method termed MavenGate, exploiting abandoned but still active public and popular libraries in Java and Android applications, making them vulnerable to nefarious actors.
In a recent analysis, Oversecured detailed how this method could be leveraged to hijack artifacts in dependencies and inject malicious code into the application, and even go so far as to compromise the build process through a malicious plugin.
As it stands, all Maven-based technologies, including Gradle, are susceptible to the attack, exposing over 200 companies, including big names like Google, Facebook, Signal, and Amazon, to its risks.
Apache Maven, which is largely used for building and managing Java-based projects, has contributed to the vulnerability, given its capability to handle dependencies and release management amongst others. This opens the door for attackers to launch supply chain poisoning attacks via abandoned libraries added to known repositories.
Illustratively, the attack involves purchasing an expired reversed domain controlled by the owner of the dependency and gaining access to the groupId by asserting rights to it via a DNS TXT record in a repository where no account managing the vulnerable groupId exists. If an attacker can’t gain access to the repository directly, they can try to gain access by contacting the repository’s support team.
To demonstrate the effectiveness of the attack, Oversecured uploaded its own test Android library (groupId: “com.oversecured”), creating a replica of it published on Maven Central. It effectively managed to manipulate the download process to fetch the damaged version of the library instead of the authentic one, shaping its proof of concept.
Commenting on this dangerous attack vector, the research team warned that most applications don’t check the digital signature of dependencies, and even libraries may not publish it. Their report found that 18.18% of the total domains analyzed were vulnerable to MavenGate, further emphasizing the criticality of the problem at hand.
Sonatype, which owns Maven Central, has undertaken steps to mitigate the vulnerability by employing automation and revoking accounts associated with expired domains and GitHub projects. It has also improved the public key validation process and announced the intention to collaborate with SigStore to digitally sign the components.
“The end developer is responsible for security not only for direct dependencies, but also for transitive dependencies,” Oversecured noted. “Library developers should be responsible for the dependencies they declare and also write public key hashes for their dependencies, while the end developer should be responsible only for their direct dependencies.”