A new software supply chain attack called MavenGate has been discovered [1] [2] [3], targeting abandoned libraries used in Java and Android applications [1]. This attack allows hackers to inject malicious code into applications, potentially compromising the build process [1].
Description
MavenGate is a supply chain attack that exploits abandoned libraries in Java and Android applications. By hijacking artifacts in dependencies [1] [2], hackers can inject malicious code into applications [1] [2] [3], posing a significant security risk. This attack is carried out by purchasing expired domain names controlled by the owners of the dependencies and gaining access to the groupId [1]. Maven-based technologies [1] [2] [3], including Gradle [1] [2] [3], are vulnerable to this attack [1].
Oversecured [1] [2] [3], a mobile security firm [1] [2] [3], has sent reports to over 200 companies [1] [2] [3], including Google [1] [2] [3], Facebook [1] [2] [3], and Amazon [1] [2] [3], highlighting the threat posed by MavenGate. The attack involves adding both Maven Central and JitPack to the dependency repository list in the Gradle build script [1], giving the attacker control over the library version downloaded.
Researchers have noted that most applications do not verify the digital signature of dependencies [1], making it easier for attackers to go undetected [1]. Sonatype [1] [2] [3], the owner of Maven Central [1] [2] [3], has taken steps to address this vulnerability and plans to collaborate with SigStore to digitally sign components [1].
Responsibility for security lies with both the end developer and the library developer [1] [2]. The end developer is responsible for direct dependencies [1] [2], while the library developer is responsible for the dependencies they declare [1] [2].
Conclusion
MavenGate poses a significant threat to the security of Java and Android applications. It highlights the importance of verifying the digital signature of dependencies and implementing robust security measures. Sonatype’s collaboration with SigStore to digitally sign components is a step towards mitigating this vulnerability.
Moving forward, developers must remain vigilant and prioritize security in their software supply chain. Regularly updating dependencies and conducting thorough security checks can help prevent similar attacks in the future.
References
[1] https://www.redpacketsecurity.com/mavengate-attack-could-let-hackers-hijack-java-and-android-via-abandoned-libraries/
[2] https://thehackernews.com/2024/01/hackers-hijack-popular-java-and-android.html
[3] https://owasp.or.id/2024/01/22/mavengate-attack-could-let-hackers-hijack-java-and-android-via-abandoned-libraries/
