Justification required for security flaws detected in Veracode scan

Nov 24, 2011 at 10:03 AM
Edited Nov 24, 2011 at 10:05 AM

Hi,


We have used Ionic.Zip.dll in our web application to Zip files before downloading. The assembly version of the dll is 1.8.4.27. The application is running in production. Recently our code has been scanned by veracode and identified various security issues. Some of the security issues are related to Ionic Zip dll. Can you please provide the justification on each of the security flaw identified. We need to submit a report providing justfication/resolution that in using Ionic Zip there is no security threat. Please find below table with the issues and description of the issues.

Category

CWE Name

Description

Module

Scope

Function Prototype

Cryptographic Issues

Insufficient Entropy

Standard random number generators do not provide a sufficient amount of entropy when used for security purposes. Attackers can brute force the output of pseudorandom number generators such as rand(). If this random number is used where security is a concern, such as generating a session key or session identifier, use a trusted cryptographic random number generator instead. These can be found on the Windows platform in the CryptoAPI or in an open source library such as OpenSSL. In Java, use the SecureRandom object to ensure sufficient entropy. References: CWE (http://cwe.mitre.org/data/definitions/331.html)

Ionic.Zip.dll

ionic_zip_dll.Ionic.Zip.SharedUtilities

char GetOneRandomChar(int)

Cryptographic Issues

Insufficient Entropy

Ionic.Zip.dll

ionic_zip_dll.Ionic.Zip.SharedUtilities

string GenerateRandomStringImpl(int, int)

Cryptographic Issues

Insufficient Entropy

Ionic.Zip.dll

ionic_zip_dll.Ionic.Zip.ZipEntry

void _WriteSecurityMetadata(System.IO.Stream)

Cryptographic Issues

Insufficient Entropy

Ionic.Zip.dll

ionic_zip_dll.Ionic.Zip.WinZipAesCrypto

WinZipAesCrypto Generate(string, int)

Directory Traversal

External Control of File Name or Path

This call to mscorlib_dll.System.IO.File.Open() contains a path manipulation flaw. The argument to the function is a filename constructed using user-supplied input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to Open() contains tainted data. The tainted data originated from an earlier call to ionic_zip_dll.Ionic.Zip.ZipFile.IsZipFile. Validate all user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using black lists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters. References: CWE (http://cwe.mitre.org/data/definitions/73.html) WASC (http://webappsec.pbworks.com/Path-Traversal)

Ionic.Zip.dll

ionic_zip_dll.Ionic.Zip.ZipFile

bool IsZipFile(string, bool)

Directory Traversal

External Control of File Name or Path

This call to mscorlib_dll.System.IO.File.OpenRead() contains a path manipulation flaw. The argument to the function is a filename constructed using user-supplied input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to OpenRead() contains tainted data. The tainted data originated from earlier calls to ionic_zip_dll.Ionic.Zip.ZipFile.Read, ionic_zip_dll.Ionic.Zip.ZipFile.CheckZip, and ionic_zip_dll.Ionic.Zip.ZipFile.FixZipDirectory. Validate all user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using black lists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters. References: CWE (http://cwe.mitre.org/data/definitions/73.html) WASC (http://webappsec.pbworks.com/Path-Traversal)

Ionic.Zip.dll

ionic_zip_dll.Ionic.Zip.ZipFile

System.IO.Stream get_ReadStream()

Directory Traversal

External Control of File Name or Path

Ionic.Zip.dll

ionic_zip_dll.Ionic.Zip.ZipFile

System.IO.Stream get_WriteStream()

Directory Traversal

External Control of File Name or Path

Ionic.Zip.dll

ionic_zip_dll.Ionic.Zip.ZipFile

void RemoveTempFile()

Directory Traversal

External Control of File Name or Path

Ionic.Zip.dll

ionic_zip_dll.Ionic.Zip.ZipFile

void Save()

Directory Traversal

External Control of File Name or Path

Ionic.Zip.dll

ionic_zip_dll.Ionic.Zip.ZipFile

void Save()

Directory Traversal

External Control of File Name or Path

Ionic.Zip.dll

ionic_zip_dll.Ionic.Zip.ZipFile

void Save()

Code Quality

Improper Resource Shutdown or Release

There are total of 9 instances. The program fails to release or incorrectly releases some variables, e.g. the variable ms, which was previously allocated by a call to mscorlib_dll.System.IO.MemoryStream.!newinit_0_0(). Ensure that all code paths properly release this resource. References: CWE (http://cwe.mitre.org/data/definitions/404.html)

Ionic.Zip.dll

ionic_zip_dll.Ionic.Zlib.DeflateStream

byte[] CompressBuffer(byte[])

 Thanks for the help in advance.

 

Regards,  Vashist