Do you know how healthy your .NET dependencies are?
May 3, 2019
0 mins readEarlier this year, Snyk added support to integrate with your Git repository .NET projects, and just this week, we released the newest addition: support for Microsoft Azure.
In this blog, we take a look at the libraries that, because they contain today’s most common vulnerabilities, also most frequently appear in Snyk project scans. We’ll uncover the “top ten libraries” that are currently impacting our users most, and take a closer look at them. First, let’s quickly look at the characteristics of the top 10, and then take a deeper look at three of these libraries, which include particularly interesting vulnerabilities. Using the Snyk vulnerability database and data from the NuGet registry, we’ll dig into how each library is used, how popular it is, and what known vulnerabilities it contains.
Top ten libraries
The following table describes these top ten libraries:
Place | Library | Use | Vulnerabilities* | Lifetime Downloads |
|---|---|---|---|---|
1 | A programming interface for modern HTTP applications | 5 High Severity | 81 M | |
2 | Single producer, single consumer byte buffer management tool | 1 High Severity |
| |
3 | Core component of ASP.NET Core Kestrel cross-platform web server | 2 High Severity | 22.1 M | |
4 | Protocol that enables two-way persistent communication channels over TCP connections | 1 Medium Severity | 3.6 M | |
5 | Data access protocol for the web | 1 High Severity | 42.4 M | |
6 | Web socket middleware for use on top of opaque servers | 1 High Severity | 12.5 M | |
7 | Library providing classes to support the creation and validation of XML digital signatures | 1 High Severity | 13.6 M | |
8 | Transport abstractions for the ASP.NET Core Kestrel cross-platform web server | 1 High Severity | 22.1 M | |
9 | Library providing secure network communication between client and server endpoints | 3 High Severity | 42.6 M | |
10 | Membership system for building ASP.NET Core web applications | 1 High Severity | 18.3 M |
*Cumulative for all versions
When reviewing this table, a few things stand out.
First, the ASP.NET Core Kestrel cross-platform web server is both popular, and currently has a number of high severity vulnerabilities derived from several different related libraries.
Second, the total number of vulnerabilities for these libraries is generally low, but the severities are generally high.
Finally, it is interesting to note that, while all of these libraries seem to be widely used, the number of lifetime downloads for a library does not directly correlate to its rank on our list. The system.net.http library has both the largest number of lifetime downloads and the largest impact on our users, but the libraries in spots 2-10 on the list did have a similar direct correlation.
Now let’s take a look at the three libraries that have had the largest impact on our users.
System.Net.Http
First up, we are going to take a look at the system.net.http library, which is the library that accounts for the vulnerabilities seen most often in our scans.
What does the library do?
System.net.http is a library that provides a programming interface for modern HTTP applications. This includes HTTP client components that allow applications to consume web services over HTTP and HTTP components that can be used by both clients and servers for parsing HTTP headers.
How popular is the library?
System.net.http has about 81 million lifetime downloads. The current version (4.3.4), which was 7 months old at the time of writing, accounts for around 3.4 million downloads. System.http.net averages around 31,000 downloads a day.
What do we know about vulnerabilities within this library?
There is good and bad news with respect to vulnerabilities in system.net.http.
First, the good news. The most recent version of this library (4.3.4) has no known vulnerabilities. If you use this library, upgrade to the most recent version!
But now for the bad news. This library includes a number of high severity vulnerabilities in its other versions. One of these vulnerabilities is only present in very old versions, but there are four high severity vulnerabilities and one medium severity vulnerability for versions below 4.1.2 and for versions 4.3.X below 4.3.4.
These vulnerabilities are of multiple types and include information disclosure, improper certificate validation, privilege escalation, authentication bypass, and denial of service. NuGet provides some interesting statistics for this library, including what versions have been downloaded and how often and even includes granular information from the last 6 weeks.
Unfortunately, these statistics show that only 16% of the downloads of this library in the past six weeks were for the most recent version (the only version completely free from known vulnerabilities). That means that currently, the majority of people who are downloading the library today are downloading versions that include multiple, known, high severity vulnerabilities.
The numbers on NuGet do provide a ray of hope. The most recent version (4.3.4) has been out for 7 months, but it looks like the pace of adoption has been picking up recently. Version 4.3.4 has been downloaded approximately 3.3 million times, but 1.2 million of the downloads occurred in the last six weeks.
Snyk’s recommendation? If you use this library, update to the current version (4.3.4).
System.IO.Pipelines
Now let’s take a look at the second library on our list, system.io.pipelines. This library is relatively new, dating only back to late 2017. When looking at our top ten list, it clocks in at second to last in terms of lifetime downloads, which makes sense given its recent release.
What does the library do?
The system.io.pipelines library is a single producer, single consumer byte buffer management tool. In short, this library makes it easier to do high performance I/O (input/output) in .NET.
How popular is the library?
System.io.pipelines has been downloaded approximately 8.4 million times, including around 600k downloads of the most recent version (4.5.3). Version 4.6.0 is currently in preview.
What do we know about vulnerabilities within this library?
Currently, there is only a single known vulnerability associated with the system.io.pipelines library. Similar to the previously discussed system.net.http library, there is good and bad news with respect to the vulnerability in system.io.pipelines.
First the bad news. The single high severity vulnerability associated with this library is a denial of service vulnerability--which has the capacity to crash your website. The vulnerability in question has a high severity score, and if exploited can prevent legitimate users from accessing your website, run up your server costs, and cause you many headaches.
Now for the good news. The single high severity vulnerability associated with this library is a denial of service vulnerability. Yes! This is good news as well. Unlike other vulnerabilities, Denial of Service (DoS) attacks usually do not aim at breaching security. Despite the headaches that such a vulnerability can cause, it is reassuring that although it is likely to cost you your uptime rate, the vulnerability is not likely to lead to a loss of data or personal information.
Snyk’s recommendation? Upgrade system.io.pipelines to version 4.5.1 or higher and keep an eye on the security status of this new and useful library!
Microsoft.AspNetCore.Server.Kestrel.Core
Finally, let’s take a look at the third library on our list, microsoft.aspnetcore.server.kestrel.core.
What does the library do?
The microsoft.aspnetcore.server.kestrel.core library is the core component of ASP.NET Core Kestrel cross-platform web server. Kestrel is an event-driven, asynchronous I/O-based server and is generally considered to be the favored web server for new asp.net applications. The Kestrel web server does not have all of the necessary features for a standalone web server, but it is very fast for asynchronous I/O and can work in conjunction with IIS or NGINX.
How popular is the library?
Microsoft.aspnetcore.server.kestrel.core claims more than 22 million lifetime downloads. Around 630k of these downloads are for the most recent version (2.2.0), which was released in late 2018.
What do we know about vulnerabilities within this library?
This library currently has four known vulnerabilities, including two denial of service vulnerabilities of medium severity and a denial of service and a privilege escalation of high severity. The good news for this library is that the two most recent versions (2.1.7 and 2.2.0) are free from known vulnerabilities.
The bad news with respect to this library is a related library (microsoft.aspnet.core.server.kestrel.transport.abstractions) also appears on the list. If you are using microsoft.aspnetcore.server.kestrel.core, you are also likely to be using microsoft.aspnet.core.server.kestrel.transport.abstractions. Additionally, it is important to remember that Kestrel is not a fully featured web server and is often run behind another library. Your choice to run Kestrel independently versus running it behind a library like NGINX or IIS is going to have an impact on how you approach your security.
Conclusion
We hope you have enjoyed this closer look into the .NET libraries that our scans indicate are responsible for the most vulnerabilities in our users' projects. Look for more .NET content from us soon, as we celebrate our recent Azure partnership.Do you use any of these libraries? Are you interested in securing your .NET projects? Try Snyk today for free.
Get started in capture the flag
Learn how to solve capture the flag challenges by watching our virtual 101 workshop on demand.
