What is wrong with vulnerabilities in C # projects?

This small note is an intermediate result on the search for already known vulnerabilities in open source C # projects. I wanted to look at code samples that would be vulnerable and cause another CVE, but it turned out that not everything is so simple ...

Background (vulnerabilities in C / C ++ projects)

I have already come across a similar task with regards to the C and C ++ programming languages, and I would like to make a small reference to the work done earlier, so that the essence of the question in the title becomes more understandable.

I will not go into the details, I will tell in several sentences. The previous goal was similar - to see which CVEs were found in open source C / C ++ projects, and find out whether PVS-Studio can find similar problems. According to the results of the work, I found some interesting vulnerabilities (and if I continued working in this direction, I’m sure I would find even more), which could be prevented by using PVS-Studio. The experiment ended successfully, and based on it I wrote the article " How can PVS-Studio help in finding vulnerabilities? ".
')
Convenient was the fact that the CVE description often included references to commits covering the vulnerability. Thus, looking at the history of code changes, it was possible to understand what the vulnerability is and how it was closed. As a result, the task was approximately to find something interesting among such corrections.

Summarizing the above, we can single out several points that define a CVE that is convenient for verification:

• Contains a link to the source code (before and after the fix).
• A commit is local, that is, it is not 'smeared' across several files, but affects a well-defined place.
• The code in this place is associated with the use of some publicly available tools, and not specific to a particular project (for example, some functions that replace their standard counterparts).
• Vulnerability is not a consequence of a specific error in the logic of the application.

If CVE meets these requirements, it is likely to be available for detection using static source code analysis.

Vulnerabilities in C # projects

In the direction of searching for vulnerabilities in open source C # projects, I made several visits from various sides, but all of them did not bring the expected result.

The main information tools that I focused on were the CVE database and the CVE Details site (as well as Google, GitHub, reddit, StackOverflow).

Here are the main approaches that I used:

• Find the most popular C # projects with GitHub in the CVE database. The C # projects on GitHub were sorted by the number of 'stars', after which I 'punched' about 100 projects on the CVE base - most of them are not even mentioned.
• A small utility was written that scanned the CVE database, found all the links to GitHub (there were more than 5000 of them), and “hooked” out of them those that were links to commits affecting C # (.cs) files. To my surprise, there were only 8 such links! This was clearly not enough. In addition, not all commits fit the "optimality" criteria described in the previous section.
• With a search query on GitHub, among the issues of all C # projects with more than 10 stars, chose those that contained the word "CVE" in the title, topic or comments. Again by - in most cases, specific CVEs were not considered, or there were no references to commits with corrections.
• Went through projects from the .NET Open Source Developer Projects list. I searched for them in the CVE database, on the CVE Details website, on Google.
• I went through the CVE database by searching for certain keywords, like C # or .Net.
• Search Google by identifying various CVEs from the CVE database and from the CVE Details site.
• Additionally, I searched Google for information on various search queries related to vulnerabilities in C # / .Net and open source projects.

To my great surprise, all these approaches did not bring the expected result - a tiny number of vulnerabilities were found that also contained links to the source code so that you could understand exactly the essence of the problem.

Having experience of similar work with projects on C / C ++, that's what surprised me:

• A small number of documented vulnerabilities in C # projects in the CVE database in principle. Are C # projects almost not vulnerable to vulnerabilities? Not really believe it. Or simply vulnerabilities in C # code are not documented / advertised, why are there so few of them in CVE database?
• The vulnerability is in the CVE database, there is a link to the release, in which the vulnerability was closed (which by itself already confirms its presence), but there are no references to the vulnerable code, even though this is an open source project! I repeat, in C / C ++ projects, as a rule, there were references to specific commits covering vulnerabilities. Those. the developers reported not only that the vulnerability was closed, but also demonstrated the problem itself and how to solve it.

Conclusion

In general, I was surprised by this state of affairs regarding vulnerabilities in C # projects. Why are they so few? Why are there few examples of vulnerabilities that have been closed?

Is the situation really what it is? Or was there some flaw in my approaches that did not allow me to get the necessary result?

If you have examples of parsing the vulnerable code (documented, that is, having the CVE identifier) ​​or you notice some obvious flaw in my approach that did not allow you to get the expected results, please write me an email - vasiliev@viva64.com , with an interesting I will read your suggestions / comments.

List of found vulnerabilities

Below I provide a list of those vulnerabilities that would have both a CVE identifier and examples of vulnerable code. Perhaps they will be interesting / useful to someone. Also, if you want to suggest a link to the example code of vulnerabilities in the letter, please see if the identifier of this vulnerability is found in the list below.

• CVE-2017-15280
• CVE-2017-15279
• CVE-2015-8814
• CVE-2015-8813
• CVE-2013-6795
• CVE-2012-3382
• CVE-2011-0991
• CVE-2015-2526
• CVE-2016-0132
• CVE-2017-8759
• CVE-2017-8585

If you want to share this article with an English-speaking audience, then please use the link to the translation: Sergey Vasiliev. What is Wrong with Vulnerabilities in C # Projects?