Critical IP Address Validation Vulnerability Also Affects Python Projects
The Python Standard Library IP Address Also Suffers from the Critical IP Address Validation Flaw That Was Reported in the netmask Library in Late March.
Two months ago, we reported that cybersecurity analysts have disclosed a vulnerability (CVE-2021-28918) in the popular npm netmask library. As a result of improper validations in place, netmask sees a different IP when parsing an IP address with a leading zero. This flaw exists in the npm and Perl versions of the network mask and other similar libraries.
As revealed this week by researchers Victor Viale, Sick Codes, Kelly Kaoudis, John Jackson, and Nick Sahler, the IP address validation vulnerability also impacts the IP address of the standard Python library.
The flaw, tracked as CVE2021-29921, resides in the Python 3.x ipaddress module and exists due to a change made a couple of years ago by project maintainers.
Improper input validation of octal strings in Python 3.8.0 thru v3.10 stdlib ipaddress allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on Python stdlib ipaddress. IP address octects are left stripped instead of evaluated as valid IP addresses. For example, an attacker submitting an IP address to a web application that relies on stdlib ipaddress, could cause SSRF via inputting octal input data; An attacker can submit exploitable IP addresses if the octet is 3 digits, with the minimum exploitable octect being 08 (Denial of Service) and the maximum exploitable octet is 099. For example, an attacker can submit 010.8.8.8, which is 220.127.116.11, yet Python ipaddress builtin will evaluate this as 10.8.8.8.
According to the researchers, the vulnerability exists due to incorrect IP address analysis by the affected library. The ipaddress module provides Python developers with various functions to easily create IP addresses, networks, and interfaces.
Although most commonly seen IPv4 addresses are expressed in decimal format, an IP address has a variety of formats, including hexadecimals, octals, and integers.
According to ITEF’s Textual Representation of IPv4 and IPv6 Addresses, parts of an IPv4 address can be interpreted as octal if prefixed with a “0”.
For ambiguous IP addresses, parts of an IPv4 address can be interpreted as octal if they have the prefix “0”; however, in the case of the IP address of the standard Python library, the leading zeros will simply be removed.
As reported by BleepingComputer, a proof of concept shows that the Python IP address library would simply discard the zeros at startup. To put it another way, when parsed using the Python ipaddress module, ‘010.8.8.8’ would be treated as ’10 .8.8.8′, instead of ‘18.104.22.168’.
Image Source: BleepingComputer
Although the ipaddress module was introduced in Python 3.3, this regression error was introduced in the module from Python version 3.8.0 through 3.10. Multiple options for temporary risk mitigation have been published on the project’s official platforms.
Image Source: BleepingComputer
Python maintainers Joel Croteau, Victor Stinner, Christian Heimes are currently debating on what is the best way to deal with this vulnerability.