locked
Veracode Scan report there is a serial security flaw in the system.management.automation 6.1.7601.17515 RRS feed

  • Question

  • Our product provide a powershell operation interface for the Customer, these function target to .NET Framework  and based on Microsoft system.management.automation 6.1.7601.17515, ,  But the a code security analysis tool VeraCode Scan report there is a serious security flaw. 

    The veracode report shown as below:

    Description

    Improper Neutralization of Special Elements used in an OS Command

    Description

    This call contains a command injection flaw. The argument to the function is constructed using untrusted input. If an attacker is allowed to specify all or part of the command, it may be possible to execute commands on the server with the privileges of the executing process. The level of exposure depends on the effectiveness of input validation routines, if any.

    Recommendations

    Validate all untrusted input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using black lists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters. Most APIs that execute system commands also have a "safe" version of the method that takes an array of strings as input rather than a single string, which protects against some forms of command injection.

    Instances found via Static Scan

    Flaw Id Module Location Exploitability Fix By
    105 system.management.automation.dll void ConnectAsync() 76% Likely 9/11/19


    We don't sure if the DLL really has this security flaw, or the Veracode scan tool report it by a mistake?
    Though the latest version of this DLL has not this flaw, but it is based on latest version of  .NET Core. And our product based on .NET Framework. Move it from the .NET Framework to .NET Core means lots of work. So we want to check if it is really a security flaw?  If sure, can you please give some advice about how to enhance the security?  Thanks. 

    Wednesday, October 16, 2019 8:47 AM

Answers

  • This is not the correct place to report bugs.

    Please post bug issues in UserVoice.


    \_(ツ)_/

    Wednesday, October 16, 2019 9:39 AM