fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Critical Netmask Networking Bug Impacts Thousands Of Applications

Critical Netmask Networking Bug Impacts Thousands Of Applications

Popular npm library netmask has a critical networking vulnerability.

netmask is frequently used by hundreds of thousands of applications to parse IPv4 addresses and CIDR blocks or compare them.

The component gets over 3 million weekly downloads, and as of today, has scored over 238 million total downloads over its lifetime. Further, about 278,000 GitHub repositories depend on netmask.

The bug present in the library means when parsing an IP address with a leading zero, netmask sees a different IP due to improper validations in place. 

Leading zero changes the IP address

Today, security researchers Victor VialeSick CodesNick SahlerKelly Kaoudis, and John Jackson have disclosed a flaw in the popular netmask library.

The vulnerability, tracked as CVE-2021-28918, concerns how netmask handles mixed-format IP addresses, or more specifically when a decimal IPv4 address contains a leading zero.

An IP address can be represented in a variety of formats, including hexadecimal and integer, although most commonly seen IPv4 addresses are expressed in decimal format.

For example, BleepingComputer’s IPv4 address represented in decimal format is 104.20.59.209, but the same can be expressed in the octal format as, 0150.0024.0073.0321.

Say you are given an IP address in decimal format, 127.0.0.1, which is widely understood as the local loopback address or localhost.

Also Read: The DNC Singapore: Looking At 2 Sides Better

If you were to prefix a 0 to it, should an application still parse 0127.0.0.1 as 127.0.0.1 or something else?

Try this in your web browser. In tests by BleepingComputer, typing 0127.0.0.1/ in Chrome’s address bar has the browser treating it as an IP in octal format.

On pressing enter or return, the IP in fact changes to its decimal equivalent of 87.0.0.1, which is how most applications are supposed to handle such ambiguous IP addresses. 

mixed-format ipv4 address
Most web browsers like Chrome automatically compensate for mixed-format IPs.

Of particular note is the fact, 127.0.0.1 is not a public IP address but a loopback address, however, its ambiguous representation changes it to a public IP address leading to a different host altogether.

But, in the case of the npm library netmask, any leading zeros would simply be stripped and discarded.

According to IETF’s original specification, parts of an IPv4 address can be interpreted as octal if prefixed with a “0.”

“But netmask ignores this. It will always consider parts as being decimal, which means that if you try and validate that an IP belongs in a range, it will be wrong for octal-based representations of IPv4 addresses,” Sahler and Viale told BleepingComputer in an email interview.

SSRF and blocklist bypass to Remote File Inclusion

At first glance this bug may seem like no big deal but should an attacker be able to influence the IP address input being parsed by the application, the bug can give rise to various vulnerabilities, from Server-Side Request Forgery (SSRF) bypasses to Remote File Inclusion (RFI).

The researchers shared various examples with BleepingComputer demonstrating the same.

“Someone is running a node server to sanitise an inbound request or query parameter expected to be a URI used for further connection, fetching resources, something like that.”

“Attacker crafts an IP with some or all octets in base-8, in the older 0-prefixed JavaScript representation.”

“This could be useful for SSRF, for example, to force a server to connect to 127.0.0.1 by passing in 0177.0.0.01. 177 is base-8 for 127 in decimal,” Kaoudis told BleepingComputer.

“A good example is a system that exposes webhooks and validates the user URLs through a netmask check is vulnerable to SSRF,” Viale also added.

Whereas, this bug can also be exploited for Remote File Inclusion (RFI) should an attacker craft an IP address that looks private to netmask, because of the way netmask converts all IPv4 parts (octets) to decimal format, but is evaluated as public by other components, Kaoudis explained to BleepingComputer.

In 2018, the popular software project curl was also found to have an identical flaw where it treated parse octal IPv4 addresses as decimal: 

In tests by BleepingComputer, running “curl -v 0177.0.0.1” has curl connecting to 177.0.0.1 as opposed to the loopback address 127.0.0.1.

curl ipv4 flaw tweet
Curl had earlier suffered from an identical flaw
Source: Twitter

Back then, an ethical hacker Nicolas Grégoire had also shed light on how such a flaw could be exploited to bypass IP-based Access Control Lists (ACLs).

“I often use these conversions in order to bypass anti-SSRF blacklists,” said Grégoire.

Various network infrastructure and security products, such as Web Application Firewalls rely on netmask to filter out IPs present on blocklists and allowlists.

This also means flaws like these, if left unchecked, can lead to serious slip-ups in perimeter security controls.

Previously, Sick Codes, Jackson, and Sahler had identified a similar flaw in the private-ip package which turns out, also uses netmask as a dependency even today.

Ultimately, Jackson says, this newly discovered issue in netmask leaves thousands of projects vulnerable to the SSRF bypass.

“Netmask has millions of downloads weekly, making the impact quite heavy. This is a huge software supply chain vulnerability.”

“In retrospect, our private-ip CVE hit a 9.8 in criticality and only had around 175,000 downloads weekly,” Jackson told BleepingComputer.

The researcher’s main concern is that many projects using netmask for IP parsing may be under the mistaken assumption that they are protected against SSRF.

Also Read: 4 Best Practices On How To Use SkillsFuture Credit

Fixed version released on npm

Following the researchers’ responsible reporting of the vulnerability, netmask developer Olivier Poitrey pushed out a series of fixes [123] for the bug to GitHub, along with test cases validating that IPv4 octets with 0-prefixes are treated as octal and not decimal numbers.

The fix for CVE-2021-28918 has been released in version 2.0.0 of netmask on npm downloads.

When asked for comment on the critical nature of this vulnerability, the developer told BleepingComputer that it depends on how one defines “critical.”

“Depends how you define critical and how you use this lib. It’s not a buffer overflow or remote execution kind of bug.”

“I can not DoS your app but weaken your ACL if it’s based on IP access using this lib.”

“I have yet to imagine a scenario where it could be exploited though, as most of the time ACLs are based on IPs learned from the IP stack, and those will never use the vulnerable format,” Poitrey told BleepingComputer.

Users of the netmask npm library are encouraged to upgrade to the fixed version 2.0.0.

The researchers have disclosed their findings in a GitHub advisory and a blog post.

Although BleepingComputer has not yet come across information indicating if the Perl component Net::Netmask also suffers from this flaw, developers using the Perl version are advised to ensure their applications sanitize and normalize IP addresses prior to passing these as inputs to Netmask.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us