locked
Need help in understanding on security center's vulnerability issue encountered on Azure container registry for its remediation. RRS feed

  • Question

  • Currently 2 of the security checks fail during a Azure Security Center scan carried out on the images within Azure Container Registry. These images contain .Net core 2.2 apps (web api & angular based) & .Net core 3.0

    1. 372268 - GNU Bash Privilege Escalation Vulnerability for Debian (Zero day)

        There is no remediation step provided for this security check though. I am not sure how to handle this.

    2. 177599 - Debian Security Update for libidn2 (DSA 4613-1)

        This issue is encountered on images containing .net core 3.0 web api.

    Tuesday, March 3, 2020 9:00 PM

Answers

  • Hi Karishma,

    1. 372268 - GNU Bash Privilege Escalation Vulnerability for Debian (Zero day)

        I am currently working to resolve this issue

    2. 177599 - Debian Security Update for libidn2 (DSA 4613-1)

         This issue has been resolved with the latest version of .net core sdk and runtime


    Thanks, Aalap

    Friday, March 13, 2020 6:26 PM

All replies

  • Could you provide the exact base image that is being used.
    Let me know the exact image URL and I will see if I can find some potential remediation steps.
    Wednesday, March 4, 2020 12:44 AM
  • Hello Karishma,

    I am unable to post screenshots here.

    However, to further provide information on the issue encountered the details are as follows.

    - From the Azure Security Center, under the Resource security hygiene i access the 'Compute & apps resources'

    - Then under Containers section, i access the Azure Container Registry instance

    - Within this, under Recommendation list i see an entry for "Vulnerabilities in Azure Container Registry images should be remediated (powered by Qualys)"

    - After clicking on this recommendation entry, i see a couple of entries for 'Security checks' carried out. These are as follows:

            #1: 372268-GNU Bash Privilege Escalation Vulnerability for Debian (Zero Day)
                   this comes with a high severity and the Patch is also not available for this security check.

            #2: 177599-Debian Security Update for libidn2 (DSA 4613-1)
                   this comes with a medium security but i am unable to understand where this patch has to be applied as i am using the base docker images for deploying a .Net Core 3.0 Web API application.

    The base images used in Docker files are as follows:
    - microsoft/dotnet:2.2-aspnetcore-runtime
    - microsoft/dotnet:2.2-sdk
    - mcr.microsoft.com/dotnet/core/aspnet:3.0
    - mcr.microsoft.com/dotnet/core/sdk:3.0 

    Besides these, i use the below scripts within the docker file for Angular-based projects. But the error encountered is not specific to Angular projects containing the below snippet. It's also encountered in images not containing the below scripts within the Docker file.

    RUN apt-get update && apt-get install -y curl
    RUN curl -sL https://deb.nodesource.com/setup_8.x | bash -
    RUN apt-get update && apt-get install -y nodejs
    

    Hope this information helps.

    • Edited by Aalap Mhatre Wednesday, March 4, 2020 10:06 AM additional info
    Wednesday, March 4, 2020 9:54 AM
  • Thank you for sharing the details. Let me investigate and get back to you.
    Thursday, March 5, 2020 2:57 AM
  • It looks like microsoft/dotnet:2.2-aspnetcore-runtime image contains the following critical 177599-Debian Security Update for libidn2 (DSA 4613-1)

    My recommendation would be to use a more recent versions of the dotnet images, the 2.2.2 has way less vulnerabilities.

    General rule is to always use the latest patch released x.y.z, where z denotes a patch number. Those releases are often associated with security patches.

    I am reaching out to internal teams as well and share an update soon.


    Thursday, March 5, 2020 4:36 AM
  • Thanks for the insights Karishma.

    For which i then reckon its better off choosing .Net Core 3.1 as .Net Core 2.2 has reached EOL in December 2019.

    https://github.com/dotnet/core/blob/master/microsoft-support.md


    Thanks, Aalap

    Friday, March 6, 2020 10:18 AM
  • Thanks for sharing the update. ACR is making you aware by showing you the vulnerability on your linux container. Try using the latest Debian version and this could solve the issue but this is mostly on the image you are using.

    Let me know if it works for you with the latest version.
    Friday, March 6, 2020 9:04 PM
  • So you are saying, the latest version (.net core 2.2.2) containing less vulnerabilities or the latest version of .net core (.net core 3.1)?

    Which means i then have to also do a compatibility check of libraries/ packages for its use in .net core 3.1 which were earlier added for .net core 2.2 version

    Kindly confirm my understanding here.


    Thanks, Aalap


    • Edited by Aalap Mhatre Monday, March 9, 2020 1:18 PM version number corrected
    Monday, March 9, 2020 1:15 PM
  • Hi, This looks like an issue with the image. Did you try with the latest Debian version and still seeing issues?
    This might need backend look up by a support engineer. Do you have the ability to create a support request? If not, send me an email to AzCommunity@microsoft.com with the thread link and your subscription Id and Subject as 'Attn: Karishma', I will enable a support request for you.


    Tuesday, March 10, 2020 11:08 PM
  • Hi Karishma,

    1. 372268 - GNU Bash Privilege Escalation Vulnerability for Debian (Zero day)

        I am currently working to resolve this issue

    2. 177599 - Debian Security Update for libidn2 (DSA 4613-1)

         This issue has been resolved with the latest version of .net core sdk and runtime


    Thanks, Aalap

    Friday, March 13, 2020 6:26 PM
  • Thanks For the update.
    Friday, March 20, 2020 7:28 PM
  • Hi Karishma,

    Do you have any insights on:

    1. 372268 - GNU Bash Privilege Escalation Vulnerability for Debian (Zero day)
    Description
    GNU Bash. Bash is the GNU Project's shell.

    An attacker with command execution in the shell can use "enable -f" for runtime loading of a new builtin, which can be a shared object that calls setuid() and therefore regains privileges.

    QID Detection Logic (Authenticated)
    This checks for vulnerable version of Bash shell in Debian 9 and 10.




    Thanks, Aalap

    Thursday, April 2, 2020 6:57 PM