search

dotnet / sdk

Core functionality needed to create .NET Core projects, that is shared between Visual Studio and CLI
https://dot.net/core
MIT License
2.6k stars 1.03k forks source link

dotnet 6.0.26+ SDK NuGet.Packaging Dependencies Vulnerable? #40355

Open jcburgo opened 2 months ago

jcburgo commented 2 months ago

Describe the bug

The dotnet 6.0 versions since 6.0.26 list the version of the NuGet.Packaging dependency in the SDK as "NuGet.Packaging": "6.3.4-rc.2" in

MSBuild.deps.json
NuGet.CommandLine.XPlat.deps.json
dotnet.deps.json

which evaluates as less than [1] the fixed version (6.3.4) in the advisory [2]. As a result, vulnerability scanners flag the latest SDK version (e.g. 6.0.421) as vulnerable to CVE-2024-0057 (Critical). I am not certain if NuGet.Packaging v6.3.4-rc.2 includes the fix for CVE-2024-0057, so I am not certain if the versions of dotnet since 6.0.26 are patched.

I see two approaches to resolving this issue:

  1. Update the advisory [2] (recommended)
  2. Update the dependencies in the SDKs

References: [1] - https://learn.microsoft.com/en-us/nuget/concepts/package-versioning?tabs=semver20sort#pre-release-versions [2] - https://github.com/NuGet/NuGet.Client/security/advisories/GHSA-68w7-72jg-6qpp

To Reproduce

N/A

Exceptions (if any)

N/A

Further technical details

N/A

KalleOlaviNiemitalo commented 2 months ago

FWIW, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0057 lists .NET 6.0.26 as the security update for this, and https://github.com/dotnet/core/blob/main/release-notes/6.0/6.0.26/6.0.26.md says CVE-2024-0057 is fixed there.

The CVE-2024-0057 description specifically refers to "Microsoft .NET Framework-based applications". Does that include applications running on .NET 6 at all; or does the vulnerability only apply to applications that use NuGet libraries from .NET but run on .NET Framework?

jcburgo commented 2 months ago

Yes, they both say the CVE is fixed in 6.0.26; however, the latest SDKs (e.g. 6.0.421) appears to have been built with NuGet.Packaging": "6.3.4-rc.2, which evaluates to less than v6.3.4 resulting in false positives in vulnerability scanners. I believe the fix was implemented, but entries like this 

/dotnet-sdk-6.0.421-linux-x64/sdk/6.0.421/MSBuild.deps.json
      "NuGet.Packaging/6.3.4-rc.2": {
          "lib/net5.0/NuGet.Packaging.dll": {
      "NuGet.Packaging.Core/6.3.4-rc.2": {
          "NuGet.Packaging": "6.3.4-rc.2"
          "lib/net5.0/NuGet.Packaging.Core.dll": {
          "NuGet.Packaging": "6.3.4-rc.2"
          "NuGet.Packaging": "6.3.4-rc.2",
          "NuGet.Packaging.Core": "6.3.4-rc.2",
    "NuGet.Packaging/6.3.4-rc.2": {
    "NuGet.Packaging.Core/6.3.4-rc.2": {

cause vulnerability scanners to flag the SDK as vulnerable.

jcburgo commented 2 months ago

Here is an example from Trivy


trivy filesystem sdk/
2024-04-22T11:12:32.785-0400    INFO    Need to update DB
2024-04-22T11:12:32.785-0400    INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
2024-04-22T11:12:32.786-0400    INFO    Downloading DB...
45.26 MiB / 45.26 MiB [-------------------------------------------------------------------------------------------------------------------] 100.00% 13.95 MiB p/s 3.4s
2024-04-22T11:12:36.926-0400    INFO    Vulnerability scanning is enabled
2024-04-22T11:12:36.926-0400    INFO    Secret scanning is enabled
2024-04-22T11:12:36.926-0400    INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-04-22T11:12:36.926-0400    INFO    Please see also https://aquasecurity.github.io/trivy/v0.46/docs/scanner/secret/#recommendation for faster secret detection
2024-04-22T11:12:37.986-0400    INFO    Number of language-specific files: 23
2024-04-22T11:12:37.986-0400    INFO    Detecting dotnet-core vulnerabilities...

6.0.421/DotnetTools/dotnet-format/dotnet-format.deps.json (dotnet-core)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
├────────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ System.Net.Http                │ CVE-2018-8292 │ HIGH     │ fixed  │ 4.3.0             │ 4.3.4         │ .NET Core: information disclosure due to authentication   │
│                                │               │          │        │                   │               │ information exposed in a redirect...                      │
│                                │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-8292                 │
├────────────────────────────────┼───────────────┤          │        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│ System.Text.RegularExpressions │ CVE-2019-0820 │          │        │                   │ 4.3.1         │ dotnet: timeouts for regular expressions are not enforced │
│                                │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0820                 │
└────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

6.0.421/DotnetTools/dotnet-watch/6.0.421-servicing.24172.16/tools/net6.0/any/dotnet-watch.deps.json (dotnet-core)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
├────────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ System.Net.Http                │ CVE-2018-8292 │ HIGH     │ fixed  │ 4.3.0             │ 4.3.4         │ .NET Core: information disclosure due to authentication   │
│                                │               │          │        │                   │               │ information exposed in a redirect...                      │
│                                │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-8292                 │
├────────────────────────────────┼───────────────┤          │        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│ System.Text.RegularExpressions │ CVE-2019-0820 │          │        │                   │ 4.3.1         │ dotnet: timeouts for regular expressions are not enforced │
│                                │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0820                 │
└────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

6.0.421/FSharp/fsc.deps.json (dotnet-core)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌───────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
│              Library              │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                          │
├───────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ System.Security.Cryptography.Pkcs │ CVE-2023-29331 │ HIGH     │ fixed  │ 6.0.1             │ 7.0.2, 6.0.3  │ dotnet: .NET Kestrel: Denial of Service processing X509 │
│                                   │                │          │        │                   │               │ Certificates                                            │
│                                   │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-29331              │
├───────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ System.Security.Cryptography.Xml  │ CVE-2022-34716 │ MEDIUM   │        │ 6.0.0             │ 4.7.1, 6.0.1  │ dotnet: External Entity Injection during XML signature  │
│                                   │                │          │        │                   │               │ verification                                            │
│                                   │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-34716              │
└───────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘

6.0.421/FSharp/fsi.deps.json (dotnet-core)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌───────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────┐
│              Library              │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                          │
├───────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ System.Security.Cryptography.Pkcs │ CVE-2023-29331 │ HIGH     │ fixed  │ 6.0.1             │ 7.0.2, 6.0.3  │ dotnet: .NET Kestrel: Denial of Service processing X509 │
│                                   │                │          │        │                   │               │ Certificates                                            │
│                                   │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2023-29331              │
├───────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────┤
│ System.Security.Cryptography.Xml  │ CVE-2022-34716 │ MEDIUM   │        │ 6.0.0             │ 4.7.1, 6.0.1  │ dotnet: External Entity Injection during XML signature  │
│                                   │                │          │        │                   │               │ verification                                            │
│                                   │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-34716              │
└───────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────┘

6.0.421/MSBuild.deps.json (dotnet-core)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 1)

┌──────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────────────────────┬────────────────────────────────────────────────────────────┐
│             Library              │ Vulnerability  │ Severity │ Status │ Installed Version │                  Fixed Version                   │                           Title                            │
├──────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ NuGet.Packaging                  │ CVE-2024-0057  │ CRITICAL │ fixed  │ 6.3.4-rc.2        │ 5.11.6, 6.0.6, 6.3.4, 6.4.3, 6.6.2, 6.7.1, 6.8.1 │ dotnet: X509 Certificates - Validation Bypass across Azure │
│                                  │                │          │        │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2024-0057                  │
├──────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ System.Security.Cryptography.Xml │ CVE-2022-34716 │ MEDIUM   │        │ 6.0.0             │ 4.7.1, 6.0.1                                     │ dotnet: External Entity Injection during XML signature     │
│                                  │                │          │        │                   │                                                  │ verification                                               │
│                                  │                │          │        │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2022-34716                 │
├──────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ System.Text.RegularExpressions   │ CVE-2019-0820  │ HIGH     │        │ 4.3.0             │ 4.3.1                                            │ dotnet: timeouts for regular expressions are not enforced  │
│                                  │                │          │        │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2019-0820                  │
└──────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────────────────────┴────────────────────────────────────────────────────────────┘

6.0.421/NuGet.CommandLine.XPlat.deps.json (dotnet-core)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 1)

┌──────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────────────────────┬────────────────────────────────────────────────────────────┐
│             Library              │ Vulnerability  │ Severity │ Status │ Installed Version │                  Fixed Version                   │                           Title                            │
├──────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ NuGet.Packaging                  │ CVE-2024-0057  │ CRITICAL │ fixed  │ 6.3.4-rc.2        │ 5.11.6, 6.0.6, 6.3.4, 6.4.3, 6.6.2, 6.7.1, 6.8.1 │ dotnet: X509 Certificates - Validation Bypass across Azure │
│                                  │                │          │        │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2024-0057                  │
├──────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ System.Security.Cryptography.Xml │ CVE-2022-34716 │ MEDIUM   │        │ 6.0.0             │ 4.7.1, 6.0.1                                     │ dotnet: External Entity Injection during XML signature     │
│                                  │                │          │        │                   │                                                  │ verification                                               │
│                                  │                │          │        │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2022-34716                 │
├──────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ System.Text.RegularExpressions   │ CVE-2019-0820  │ HIGH     │        │ 4.3.0             │ 4.3.1                                            │ dotnet: timeouts for regular expressions are not enforced  │
│                                  │                │          │        │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2019-0820                  │
└──────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────────────────────┴────────────────────────────────────────────────────────────┘

6.0.421/Sdks/Microsoft.NET.ILLink.Tasks/tools/net6.0/ILLink.Tasks.deps.json (dotnet-core)

Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

┌───────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬─────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                    Title                    │
├───────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼─────────────────────────────────────────────┤
│ System.Drawing.Common │ CVE-2021-24112 │ CRITICAL │ fixed  │ 4.7.0             │ 4.7.2, 5.0.3  │ dotnet: Remote Code Execution Vulnerability │
│                       │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2021-24112  │
└───────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴─────────────────────────────────────────────┘

6.0.421/dotnet-watch.deps.json (dotnet-core)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 2, CRITICAL: 0)

┌────────────────────────────────┬───────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│            Library             │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
├────────────────────────────────┼───────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ System.Net.Http                │ CVE-2018-8292 │ HIGH     │ fixed  │ 4.3.0             │ 4.3.4         │ .NET Core: information disclosure due to authentication   │
│                                │               │          │        │                   │               │ information exposed in a redirect...                      │
│                                │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2018-8292                 │
├────────────────────────────────┼───────────────┤          │        │                   ├───────────────┼───────────────────────────────────────────────────────────┤
│ System.Text.RegularExpressions │ CVE-2019-0820 │          │        │                   │ 4.3.1         │ dotnet: timeouts for regular expressions are not enforced │
│                                │               │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2019-0820                 │
└────────────────────────────────┴───────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

6.0.421/dotnet.deps.json (dotnet-core)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 1)

┌──────────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬──────────────────────────────────────────────────┬────────────────────────────────────────────────────────────┐
│             Library              │ Vulnerability  │ Severity │ Status │ Installed Version │                  Fixed Version                   │                           Title                            │
├──────────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ NuGet.Packaging                  │ CVE-2024-0057  │ CRITICAL │ fixed  │ 6.3.4-rc.2        │ 5.11.6, 6.0.6, 6.3.4, 6.4.3, 6.6.2, 6.7.1, 6.8.1 │ dotnet: X509 Certificates - Validation Bypass across Azure │
│                                  │                │          │        │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2024-0057                  │
├──────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ System.Security.Cryptography.Xml │ CVE-2022-34716 │ MEDIUM   │        │ 6.0.0             │ 4.7.1, 6.0.1                                     │ dotnet: External Entity Injection during XML signature     │
│                                  │                │          │        │                   │                                                  │ verification                                               │
│                                  │                │          │        │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2022-34716                 │
├──────────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────────────────┤
│ System.Text.RegularExpressions   │ CVE-2019-0820  │ HIGH     │        │ 4.3.0             │ 4.3.1                                            │ dotnet: timeouts for regular expressions are not enforced  │
│                                  │                │          │        │                   │                                                  │ https://avd.aquasec.com/nvd/cve-2019-0820                  │
└──────────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴──────────────────────────────────────────────────┴────────────────────────────────────────────────────────────┘
dotnet-policy-service[bot] commented 2 months ago

Thanks for creating this issue! We believe this issue is related to NuGet tooling, which is maintained by the NuGet team. Thus, we closed this one and encourage you to raise this issue in the NuGet repository instead. Don’t forget to check out NuGet’s contributing guide before submitting an issue!

If you believe this issue was closed out of error, please comment to let us know.

Happy Coding!

jcburgo commented 2 months ago

This is not a NuGet issue. The SDK was built with a potentially vulnerable version of NuGet, so the SDK needs to update it's dependencies.

marcpopMSFT commented 2 months ago

This is actually an issue on the nuget side (as well as impacting other tools) tracked by this internal issue: https://github.com/NuGet/Client.Engineering/issues/2735

Because feeds don't handle stable versions well if you need a rebuild, nuget and other tools teams flow unstable versions into the SDK. Those binaries are identical. This allows them more consistency on the feed used.

One recommendation is to change the branding to -rtm but that'll still be flagged by some scanners. We could try to modify the deps.json before shipping but that's a bit hacky. It'd be better to find a way to flow an unstable version in the main feed that wasn't a prerelease or find a way to flow the stable version.

CC @nkolev92 as he was aware of the linked issue.