Critical netmask Networking Flaw Reported by Security Specialists
Hundreds of thousands of applications use netmask to parse IPv4 addresses and CIDR blocks or compare them.
With almost 3 million weekly downloads, netmask has scored more than 238 million total downloads over its lifetime. What’s more, around 279,000 GitHub repositories depend on the component.
Yesterday, cybersecurity analysts Sick Codes, Victor Viale, John Jackson, Nick Sahler, and Kelly Kaoudis, have disclosed a vulnerability (CVE-2021-28918) in the popular npm netmask library. As a result of improper validations in place, netmask sees a different IP when parsing an IP address with a leading zero.
More than a quarter of a million other projects use netmask to do something. For almost a decade, netmask has been incorrectly reading octal input data as a string; just stripping the 0 at the front and using the rest of the data as legitimate. Are all 270,000 projects vulnerable? Well, most likely no: it depends entirely on how the project uses it.
Although most commonly seen IPv4 addresses are expressed in decimal format, an IP address has a variety of formats, including hexadecimal and integer.
According to ITEF’s Textual Representation of IPv4 and IPv6 Addresses, parts of an IPv4 address can be interpreted as octal if prefixed with a “0”.
However, as per Sahler and Viale,
netmask ignores this. It will always consider parts as being decimal, which means that if you try and validate that an IP belongs in a range, it will be wrong for octal-based representations of IPv4 addresses.
This bug may not seem very important, but let’s imagine that an attacker is able to influence the IP address input parsed by the application. The bug can trigger various vulnerabilities, including Server-Side Request Forgery (SSRF) bypasses and Remote File Inclusion (RFI).
Back in 2018, an identical flaw was found by popular software project curl, treating parse octal IPv4 addresses as a decimal. According to Ax Sharma, running “curl -v 0177.0.0.1” had curl connecting to 177.0.0.1 as opposed to the loopback address 127.0.0.1.
I learned that getaddrinfo() converts IPv4 addresses given as octal to decimal. See “ping 0177.0.0.1” or even “curl 0177.0.0.1” … (the latter usually gets a 400 due to the funny Host:)
— Daniel Stenberg (@bagder) September 27, 2018
Many network infrastructure and security products rely on netmask to filter out IPs present on blocklists and allowlists. If left unchecked, vulnerabilities like these can lead to a serious failure in perimeter security controls.
After the vulnerability was reported, netmask developer Olivier Poitrey released a series of fixes for the bug, along with test cases validating that IPv4 octets with 0-prefixes are treated as octal and not decimal numbers.
Additionally, the CVE-2021-28918 fix has been released in version 2.0.0 of netmask on npm downloads.