The flaw, which could lead to SSRF, has now been patched
UPDATED A trio of Perl modules are potentially vulnerable to a serious upstream security flaw in Net::Netmask, a Perl distribution used to parse, manipulate, and lookup IP network blocks.
The affected CPAN modules include Net-CIDR-Lite, used to merge IPv4 or IPv6 CIDR addresses; Net-IPAddress-Util, a version-agnostic IP address representation; and Data-Validate-IP, an IPv4 and IPv6 validator, said Perl developer Dave Rolsky in a blog post published yesterday (March 29).
Security implications
As reported by The Daily Swig, the potentially “catastrophic” security vulnerability in Netmask, an NPM package, could lead to server-side request forgery (SSRF) in downstream applications.
The nine-year old, unauthenticated flaw was remediated in Netmask v2.0, issued on March 20, although the subsequent discovery of a further flaw prompted the project maintainer to release v2.1 yesterday.
BACKGROUND SSRF vulnerability in NPM package Netmask impacts up to 279k projects
The improper input validation bug, which potentially impacts up to 279,000 GitHub projects, means that parsing an IP address with a leading zero results in Netmask seeing an entirely different IP.
Data-Validate-IP mitigation
Although Data-Validate-IP doesn’t misparse octal numbers, it could still be susceptible to the Netmask flaw “depending on exactly how your code uses this distro”, said Rolsky.
“This distribution returns false for any is_*_ipv4 method that includes an octal number,” explains Rolsky. “So both is_private_ipv4('010.0.0.1') and is_public_ipv4('010.0.0.1') return false.
Read more of the latest SSRF attacks and exploits
“I updated the documentation to explicitly recommend that you always call is_ipv4() in addition to calling a method like is_private_ipv4(),” said the developer.
Rolsky also noted that Net-CIDR-Lite is currently not being maintained until a new volunteer is found.
Other CPAN modules used for working with IP addresses and netmasks – Socket, Net-DNS, NetAddr-IP, Net-Subnet, and Net-Patricia – appear to be unaffected, he added.
This article was updated on March 30 to reflect the discovery and remediation of another flaw in Netmask arising from a flawed patch.
The Daily Swig has contacted Dave Rolsky for further comment and this article will be updated should we receive a response.
RELATED Backdoor planted in PHP Git repository after server hack
