[BUG]: NodeJS and dotNet vulnerable versions on Azure DevOps agent

exolain commented 1 year ago

What happened?

The latest version 3.220.5 has vulnerabilities due to the NodeJS and dotNet versions

dotNet vulnerability (upgrade .NET Runtime to 6.0.16 or higher): Summary:.net dll hijacking remote code execution vulnerability

Vulnerability finding: File /azureagent/bin.3.220.5/System.Core.dll version 6.0.13 is vulnerable to CVE-2023-28260, which exists in versions >= 6.0.0, < 6.0.16.\n\nThe vulnerability was found in the National Vulnerability Database (NVD) based on the CPE cpe:2.3:a:microsoft:.net with NVD severity: High.\n\nThe file is associated with the technology .NET Runtime.\n\nThe vulnerability can be remediated by updating .NET Runtime to 6.0.16 or higher. (Location Path: /azureagent/bin.3.220.5/System.Core.dll)

NodeJS vulnerabilities (need to upgrade to 16.19.1 or later):

Summary: os command injection vulnerability exists in node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient isallowedhost check that can easily be bypassed because isipaddress does not properly check if an ip address is invalid a cryptographic vulnerability exists in node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the openssl error stack after operations that may set it. this may lead to false positive errors during subsequent cryptographic a privilege escalation vulnerability exists in node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental permissions (https://nodejs.org/api/permissions.html) feature in node.js and access non authorized modules

Vulnerability finding: File /azureagent/externals.3.220.5/node16/bin/node version 16.17.1 is vulnerable to CVE-2022-43548, which exists in versions >= 16.13.0, < 16.18.1.\n\nThe vulnerability was found in the National Vulnerability Database (NVD) based on the CPE cpe:2.3:a:nodejs:node.js with NVD severity: High.\n\nThe file is associated with the technology Node.js.\n\nThe vulnerability can be remediated by updating Node.js to 16.18.1 or higher. (Location Path: /azureagent/externals.3.220.5/node16/bin/node)

File /azureagent/externals.3.220.5/node16/bin/node version 16.17.1 is vulnerable to CVE-2023-23919, which exists in versions >= 16.0.0, < 16.19.1.\n\nThe vulnerability was found in the National Vulnerability Database (NVD) based on the CPE cpe:2.3:a:nodejs:node.js with NVD severity: High.\n\nThe file is associated with the technology Node.js.\n\nThe vulnerability can be remediated by updating Node.js to 16.19.1 or higher. (Location Path: /azureagent/externals.3.220.5/node16/bin/node)

File /home/c23383a/myagent/externals.3.220.5/node16/bin/node version 16.17.1 is vulnerable to CVE-2023-23918, which exists in versions >= 16.0.0, < 16.19.1.\n\nThe vulnerability was found in the National Vulnerability Database (NVD) based on the CPE cpe:2.3:a:nodejs:node.js with NVD severity: High.\n\nThe file is associated with the technology Node.js.\n\nThe vulnerability can be remediated by updating Node.js to 16.19.1 or higher. (Location Path: /azureagent/externals.3.220.5/node16/bin/node)

Versions

Azure DevOps version 3.220.5 / RHEL 9

Environment type (Please select at least one enviroment where you face this issue)

[X] Self-Hosted
[ ] Microsoft Hosted
[ ] VMSS Pool
[ ] Container

Azure DevOps Server type

dev.azure.com (formerly visualstudio.com)

Azure DevOps Server Version (if applicable)

No response

Operation system

RHEL9

Version controll system

No response

Relevant log output

No response

exolain commented 1 year ago

any updates on this one?

pixdrift commented 1 year ago

Thanks for raising this @exolain, I am seeing similar from our security scans.

I am assuming this output has come from Nessus or equivalent scanning tool?

There seems to be some effort being focused on upgrading the dated .NET version, this PR is an example https://github.com/microsoft/azure-pipelines-agent/pull/4378

But the node definitely needs updating too.

exolain commented 1 year ago

Hi @pixdrift yes, that came from the Wiz scanning tool I was expecting that maybe with the latest pre-release that would be patched but it is still not the case. I imagine that the PR you shared might still be needed:

File /myagent/bin.3.226.3/System.Core.dll version 6.0.13 is vulnerable to CVE-2023-28260, which exists in versions >= 6.0.0, < 6.0.16.

The vulnerability was found in the National Vulnerability Database (NVD) based on the CPE cpe:2.3:a:microsoft:.net with NVD severity: High.

The file is associated with the technology .NET Runtime.

tommilnerhowden commented 1 year ago

Hi, I am using agent version 3.230.0

File C:\azagent\A1_work_update\externals\git\mingw64\bin\libcurl-4.dll version 7.75.0 is vulnerable to CVE-2023-38545, which exists in versions >= 7.69.0, < 8.4.0.

The vulnerability was found in the National Vulnerability Database (NVD) based on the CPE cpe:2.3:a:haxx:libcurl with NVD severity: Critical.

clint2627 commented 11 months ago

I have upgraded the agent to version 3.232.1 and scans are still showing HIGH and Critical vulnerabilities. Remediation recommendation is npm update on several packages. What does Microsoft recommend doing?

kirill-ivlev commented 11 months ago

@clint2627, could you please share more details about your detections?

clint2627 commented 11 months ago

@clint2627, could you please share more details about your detections?

AzAgent_Vulnerabilities.xlsx

clint2627 commented 11 months ago

An update. One one of our dev servers I completely removed the agent, and then did a fresh install of the agent. This made the vulnerabilities go away. I am guessing when installing new, it pulls in latest npm package versions. Is there a way to force an npm update automatically when upgrading the targets from azure devops?

clint2627 commented 11 months ago

I had a call with a Microsoft devops engineer. His recommendation was to do a fresh install of the agent since the version I started with was so old. Hopefully going forward the update process will be smoother.

maragunde93 commented 8 months ago

This is still an issue, I have installed a fresh agent with version 3.237.0 in an ubuntu 22 and I am getting a lot of vulnerabilities from twistlock analysis, I can't share the full report but here is a summary:

Node version:
- /azp/externals/node10 -> package version 10.24.1 - CVE-2021-44531
Multiple vulnerabilities on node packages under /azp/externals
Multiple vulnerabilities on .NET packages found from /azp/bin/*.deps.json

shrimtim commented 7 months ago

Is there any update on this? The bersion is still there in latest version v3.238.0

AkechiShiro commented 4 months ago

Reping @DenisRumyantsev

tutnes commented 2 months ago

Hi! Just installed version 3.244.1 of the pipelines-agents- but it still includes the now EOL node 16. https://github.com/microsoft/azure-pipelines-agent/blob/v3.244.1/docs/node6.md

microsoft / azure-pipelines-agent