The CRT / SDK installed on MMS VS 2019 1ES images is not compliant with Microsoft BinSkim.

Question

The CRT / SDK installed on MMS VS 2019 1ES images is not compliant with Microsoft BinSkim.

swenkeratmicrosoft opened this issue 2 years ago · comments

Description

Several libraries yield warnings due to using MD5 hashes instead of SHA256. Examples include libcmt.lib, libvcruntime.lib, msvcprt.lib, and atls.lib (may not be exhaustive).

This blocks warning-free use of BinSkim for binaries built on those images.

Platforms affected

Azure DevOps
GitHub Actions

Virtual environments affected

Image version and build link

Environment: windows-2019
Version: 20220710.1
Included Software: https://github.com/actions/virtual-environments/blob/win19/20220710.1/images/win/Windows2019-Readme.md
Image Release: https://github.com/actions/virtual-environments/releases/tag/win19%2F20220710.1

1ES Hosted Pool
SKU: Standard_D8ds_v4
Image: MMS2019
Image Version: 20220710.1.0

Is it regression?

No

Expected behavior

When running the Guardian: BinSkim task to scan for vulnerabilities in compiled binaries, no warnings due to the CRT being used should be encountered.

Actual behavior

Warnings due to the CRT being used are encountered. At a minimum, libcmt.lib, libvcruntime.lib, atls.lib, and msvcprt.lib are impacted, but that list may not be exhaustive.

For example:

D:\a_work\1\s\temp\generated_amd64fre\bins\eccvault2_generator_p256.exe: warning BA2004: 'eccvault2_generator_p256.exe' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:
Microsoft (R) Macro Assembler : masm : 14.29.30034.2 : libcmt.lib (amdsecgs.obj,chkstk.obj,guard_dispatch.obj,guard_xfg_dispatch.obj)
Microsoft (R) Macro Assembler : masm : 14.29.30034.2 : libvcruntime.lib (handlers.obj,memcmp.obj,memcpy.obj,memset.obj,notify.obj)
Microsoft (R) Optimizing Compiler : c : 19.29.30034.2 : libcmt.lib (cpu_disp.obj,dyn_tls_dtor.obj,dyn_tls_init.obj,gs_cookie.obj,gs_report.obj,gs_support.obj,guard_support.obj,loadcfg.obj,matherr_detection.obj,pesect.obj,ucrt_detection.obj)
Microsoft (R) Optimizing Compiler : c : 19.29.30034.2 : libvcruntime.lib (jbcxrval.obj)
Microsoft (R) Optimizing Compiler : cxx : 19.29.30034.2 : atls.lib (atlbase.obj,stdafx.obj)
Microsoft (R) Optimizing Compiler : cxx : 19.29.30034.2 : libcmt.lib (argv_mode.obj,commit_mode.obj,default_local_stdio_options.obj,delete_scalar.obj,delete_scalar_size.obj,denormal_control.obj,ehvecctr.obj,ehvecdtr.obj,env_mode.obj,exe_main.obj,file_mode.obj,gshandler.obj,gshandlereh4.obj,gshandlerseh.obj,initializers.obj,initsect.obj,invalid_parameter_handler.obj,matherr.obj,new_array.obj,new_mode.obj,new_scalar.obj,std_type_info_static.obj,thread_locale.obj,thread_safe_statics.obj,throw_bad_alloc.obj,tlssup.obj,tncleanup.obj,ucrt_stubs.obj,utility.obj,utility_desktop.obj)
Microsoft (R) Optimizing Compiler : cxx : 19.29.30034.2 : libvcruntime.lib (ehhelpers.obj,ehstate.obj,frame.obj,initialization.obj,locks.obj,per_thread_data.obj,purevirt.obj,purevirt_data.obj,riscchandler.obj,risctrnsctrl.obj,std_exception.obj,std_type_info.obj,throw.obj,undname.obj,winapi_downlevel.obj)
Microsoft (R) Optimizing Compiler : cxx : 19.29.30034.2 : msvcprt.lib (locale0_implib.obj)

Repro steps

Create a Microsoft-internal 1ES agent pool with the aforementioned image version.
Compile any code that has a dependency on any of the aforementioned .lib files.
Add the Microsoft-internal Package ES Transition SDL template (Binary Analysis) as described on Microsoft-internal OSGWiki to your YAML.
Run the pipeline.
Look at "Guardian: BinSkim" task's output log to see warnings.

Aleksandr Chebotov · Answer 1 · Fri Jul 15 2022 15:04:42 GMT+0800 (China Standard Time)

Hello @swenkeratmicrosoft.
We don't manage '1ES Hosted Pool' pools and nothing we can do with those libs from other side. Please create a bug report on https://developercommunity.visualstudio.com/ board like https://developercommunity.visualstudio.com/t/crt-is-not-built-with-zhsha-256/1369173.

Sam Wenker · Answer 2 · Fri Jul 15 2022 23:24:00 GMT+0800 (China Standard Time)

@al-cheb '1ES Hosted Pool' is just taking your images without changes! How can you say there's nothing you can do with those libs? They're the ones pre-installed on your images!

Aleksandr Chebotov · Answer 3 · Fri Jul 15 2022 23:50:17 GMT+0800 (China Standard Time)

@al-cheb '1ES Hosted Pool' is just taking your images without changes! How can you say there's nothing you can do with those libs? They're the ones pre-installed on your images!

Those libs are part of Visual Studio 2019/2022(C++ Standard Library) - https://docs.microsoft.com/en-us/cpp/c-runtime-library/crt-library-features?view=msvc-170, in that case I don't see any way how only to reach out to a developer team and ask them to fix this issue or remove the libs before deploying a new image. If you have any better solutions how to fix it we are open for discussion.

Sam Wenker · Answer 4 · Fri Jul 15 2022 23:57:34 GMT+0800 (China Standard Time)

@al-cheb - Ah, so you need the public SDK to get updated. That makes more sense now. Thanks! :)

Daniel Griffing · Answer 5 · Wed Jul 20 2022 01:38:59 GMT+0800 (China Standard Time)

The v14.30.* MSVC++ toolset (VS 2022 v17.0) was the first that was built with /ZH:SHA_256 in the runtime libraries. You'll need to upgrade to that toolset/runtime version for libraries that pass this binskim check. We have no plans, at this time, to backport and rebuild older toolset releases with this option enabled, including older toolsets such as the VS 2019 v16.11 (MSVC++ v14.29).

Sam Wenker · Answer 6 · Wed Jul 20 2022 01:45:53 GMT+0800 (China Standard Time)

@dangrif - Which MMS images include the toolset you reference?

Sam Wenker · Answer 7 · Wed Jul 20 2022 04:09:13 GMT+0800 (China Standard Time)

@al-cheb As you can see from dangrif, latest VS 2022 does have SHA256-hashed libs.

Which MMS images have a public SDK with a high enough version as indicated by dangrif? VS 2022 is required.

If none, this item needs to be re-opened to track creating or updating image(s) that have that version. Agreed?

Aleksandr Chebotov · Answer 8 · Wed Jul 20 2022 05:20:16 GMT+0800 (China Standard Time)

@al-cheb As you can see from dangrif, latest VS 2022 does have SHA256-hashed libs.

Which MMS images have a public SDK with a high enough version as indicated by dangrif? VS 2022 is required.

If none, this item needs to be re-opened to track creating or updating image(s) that have that version. Agreed?

Currently, we don't pre-install v14.30.x MSVC++ and above - https://github.com/actions/virtual-environments/blob/main/images/win/Windows2022-Readme.md . We will think about to add those components on Windows Server 2022 image.

Aleksandr Chebotov · Answer 9 · Wed Jul 20 2022 15:50:04 GMT+0800 (China Standard Time)

@dangrif, Could you please review this #5939 PR?

Aleksandr Chebotov · Answer 10 · Tue Jul 26 2022 21:02:46 GMT+0800 (China Standard Time)

Windows Server 2022 image with v14.32.x MSVC++ on board has been deployed to GitHub and Azure DevOps environments.