Utilizing Exposed NuGet Packages Attackers Target .NET Platform
An investigation of the off-shelf packages housed in the NuGet repository indicated that 51 unique software components are susceptible to extreme vulnerabilities that are being exploited actively, again highlighting the danger posed on software development by third-party dependencies.
ReversingLabs Researcher Karl Zanki noted in a paper that there is still an increasing number of cyber events targeting the software supply chain that such modules urgently need to be assessed for safety risk and the attack surface to be minimized.
NuGet is a .NET platform supported by Microsoft technology that works as a Package Manager to allow developers to exchange reused code. The framework maintains a single repository of more than 264,000 individual packages that have generated more than 109 billion downloads together.
Of that kind, code is very often wrapped into ‘packages' which include compiled code (such DLLs) and other contents required for projects using these packages. NuGet, which specifies how packages for the .NET function are developed, hosted, consumed, and provides tools for each role, is supported by the Microsoft-built code sharing mechanism. NET (including the.NET core).
“All identified pre-compiled software components in our research were different versions of 7Zip, WinSCP, and PuTTYgen, programs that provide complex compression and network functionality,” Zanki explained. “They are continuously updated to improve their functionality and to address known security vulnerabilities. However, sometimes it happens that other software packages get updated but still keep using several years old dependencies containing known vulnerabilities.”
It was discovered in some instances that ‘WinSCPHelper' — a remote server file management library that was installed more than 35,000 times — uses an older and vulnerable 5.11.2, and WinSCP 5.17.10 published earlier this month, addresses the essential arbitrary running defect (CVE-2021-3331) that exposes users of the package to vulnerability.
The researchers have also found that the susceptible version of the “zlib” data compression library is stationary with over 50,000 software components from NuGet packages. This makes the compressor library risky for several known security problems, such as the CVE- 2016-9840, CVE-2016-9841, CVE-2016-9842, or CVE-2016-9843.
Some of the packages found to be vulnerable to zlib are “DicomObjects” and “librdkafka.redist” both downloaded at least 50 thousand to 18.2 million times.
“Companies developing software solutions need to become more aware of such risks, and need to become more involved in their handling,” Zanki said.