Dozens of Vulnerable NuGet Packages Allow Attackers to Target .NET Platforms

NuGet portal
Share It On:

9th July 2021, Kathmandu

An investigation of the off-shelf packages housed within the NuGet repository indicated that 51 unique software components are vulnerable to extreme vulnerabilities that are being exploited actively, again highlighting the danger posed on software development by third-party dependencies.

ReversingLabs Researcher Karl Zanki noted during a paper that there’s still an increasing number of cyber events targeting the software supply chain that such modules urgently got to be assessed for safety risk and therefore the attack surface to be minimized.

NuGet is a Microsoft-supported mechanism for the .NET platform and features as an offer supervisor built to permit builders to share reusable code. The framework maintains a central repository of above 264,000 exceptional offers that have collectively produced extra than 109 billion package downloads.

Of that sort, code is extremely often wrapped into ‘packages’ which include compiled code (such DLLs) and other contents required for projects using these packages. NuGet, which specifies how packages for the .NET function are developed, hosted, consumed, and provides tools for every role, is supported by the Microsoft-built code sharing mechanism. NET (including the.NET core).

“All identified pre-compiled software components in our research were different versions of 7Zip, WinSCP, and PuTTYgen, programs that provide complex compression and network functionality,” Zanki explained. “They are continuously updated to enhance their functionality and to deal with known security vulnerabilities. However, sometimes it happens that other software packages get updated but still keep using several years old dependencies containing known vulnerabilities.”

It was discovered in some instances that ‘WinSCPHelper’ — a foreign server file management library that was installed quite 35,000 times — uses an older and vulnerable 5.11.2, and WinSCP 5.17.10 published earlier this month, addresses the essential arbitrary running defect (CVE-2021-3331) that exposes users of the package to vulnerability.

The researchers have also found that the susceptible version of the “zlib” data compression library is stationary with over 50,000 software components from NuGet packages. This makes the compressor library risky for several known security problems, like the CVE- 2016-9840, CVE-2016-9841, CVE-2016-9842, or CVE-2016-9843.

Some of the packages found to be susceptible to zlib are “DicomObjects” and “librdkafka.redist” both downloaded a minimum of 50 thousand to 18.2 million times.

“Companies developing software solutions got to become more conscious of such risks, and wish to become more involved in their handling,” Zanki said. “Equally the inputs and final outputs of the appliance improvement course of action require to be checked for tampering and code top quality issues. “Transparent application enhancement is 1 of the keystones essential to enable early detection and avoidance of application offer-chain attacks.”


Share It On:

Recent Posts

Dursikshya Education Network Successfully Concludes Finals of Discovery Education & Edutech’s National Coding Competition – Nepal Edition

Dursikshya Education Network Successfully Concludes Finals of Discovery Education &

Share It On:22nd December 2024, Kathmandu Dursikshya Education Network, in collaboration with Edutech India, Discovery Education UK, and ICT Frame

Child Online Protection in Nepal: Insights From UNICEF and ChildSafeNet Dialogue

Child Online Protection in Nepal: Insights From UNICEF and ChildSafeNet

Share It On:21st December 2024, Kathmandu A high-level dialogue on child online protection organized by UNICEF, in partnership with ChildSafeNet,

Support Your NPL Team With Ncell’s Exclusive PRBTs

Support Your NPL Team With Ncell’s Exclusive PRBTs

Share It On:20th December 2024, Kathmandu As the finale of the Nepal Premier League (NPL), the ‘Festival of the Himalayas,’

Garima Bank Cash Dividend Proposal: 5% for Shareholders

Garima Bank Cash Dividend Proposal: 5% for Shareholders

Share It On: 20th December 2024, Kathmandu Garima Bikas Bank has announced its decision to offer a cash dividend to

Citizens Bank and SM Dental Partnership: Exclusive Discounts for Digital Payment Users

Citizens Bank and SM Dental Partnership: Exclusive Discounts for Digital

Share It On: 20th December 2024, kathmandu Citizens Bank International Limited has formed a strategic partnership with SM Dental and

Nabil Bank Toll-Free Number for Easy Banking Support: 24/7 Access to Assistance

Nabil Bank Toll-Free Number for Easy Banking Support: 24/7 Access

Share It On: 20th December 2024, kathmandu Nabil Bank Limited has rolled out a new initiative to improve customer support