Security Vulnerabilities in git2-106a5f2.dll: Non-Compliance with Secure Hashing and Compiler Security Best Practices

Question

Security Vulnerabilities in git2-106a5f2.dll: Non-Compliance with Secure Hashing and Compiler Security Best Practices

ocallesp opened this issue 2 years ago · 2 comments

Version of LibGit2Sharp (0.29.0)

Issue Description

We are using LibGit2Sharp version 0.29.0 in our project, and our security analysis tools (Microsoft's Guardian using BinSkim) have flagged the native binary git2-106a5f2.dll included in the NuGet package for several security vulnerabilities. These issues are crucial as they potentially compromise the security integrity of the binary and, by extension, any projects that utilize this library.

Identified Issues

Insecure Hash Algorithm (MD5) - Rule BA2004
- Details: The binary is using MD5 for hashing object files, which is vulnerable to collision attacks. MD5's use can compromise the supply chain's integrity.
- Recommendation: It is recommended to switch to SHA-256, which is a more secure hashing algorithm, by passing /ZH:SHA_256 on the cl.exe command line.
Missing Control-flow Enforcement Technology (CET) - Rule BA2025
- Details: The binary does not enable CET Shadow Stack mitigation, a security feature that helps protect against common exploit techniques.
- Recommendation: To resolve this issue, please pass /CETCOMPAT on the linker command lines.
Lack of Compiler Security Checks (SDL) - Rule BA2026
- Details: The binary was compiled without the recommended Security Development Lifecycle (SDL) checks, which could lead to potentially exploitable runtime issues.
- Recommendation: Ensure the /sdl switch is used on the cl.exe command-line, or the 'SDL checks' property is set in the 'C/C++ -> General' configuration property page, or the 'SDLCheck' property is explicitly set in the project file.

Impact

The presence of these issues might not only affect the security posture of projects using LibGit2Sharp but could also impact compliance with various security standards, making it less feasible for use in environments where security is a priority.

Request

We request the maintainers of LibGit2Sharp to please address these issues in an upcoming release. If there are any guidelines or planned updates to mitigate these concerns, sharing them would be greatly appreciated. Meanwhile, we would be happy to assist or provide further information needed to resolve these vulnerabilities.

Thank you for your attention to this matter and for your continued efforts in maintaining this valuable library.

Additional Information

Environment: Specify your environment details, such as OS, version of toolchains, etc., if relevant.
References:

Answer 1 · 2024-05-01T08:12:46.000Z

Hi @ocallesp - looks like you're vetting libgit2sharp through some Microsoft security process? Let me know if I'm wrong but this all sounds very familiar to me from when we did this in Visual Studio.

Is this a new inclusion of libgit2sharp or is there some changing requirement for an existing dependency?

Can you not reuse the exceptions to these requirements that devdiv (VS and Azure DevOps) have already completed?

For example, MD5 is used for NTLM compatibility and there's no possibility of upgrading to SHA-256, so that needs to be accepted and, subsequently, excepted.

Let me know if you want to discuss this further. I've done this before and would be willing to jump on a quick call to get you pointed in the right direction.

Answer 2 · 2024-05-14T05:10:10.000Z

Not needed anymore. We removed this DLL from our extension.