The netmask npm package contains a vulnerability that could expose private networks and lead to a number of attacks, including malware distribution.
The newly discovered flaw (identified as CVE-2021-28918) stems from the package’s inability to correctly read octal encoding, resulting in the misinterpretation of supplied IP addresses.
Netmask is a common tool for parsing IPv4 CIDR blocks and comparing and exploring them. It receives millions of weekly downloads. It is currently being used by over 278,000 other projects.
Because of this flaw, netmask treats private IP addresses as external IP addresses and vice versa, potentially exposing users to a variety of attacks depending on how the package is used.
Server-side request forgery, remote file inclusion, and local file inclusion are only a few of the potential attacks, according to Sick Codes, a security researcher.
Sick Codes discovered that netmask incorrectly evaluates the first octet in an IP address that begins with 0, which is in octal format, and reads it as a true decimal value, working with application developer and researcher Victor Viale.
An unauthenticated remote attacker may exploit the flaw in the package to trick an application into fetching malicious code from an external IP address as if it came from within the local network.
“Using input data like 012.0.0.1 (10.0.0.1), which netmask evaluates as 220.127.116.11 (public), a remote authenticated or unauthenticated intruder may bypass packages that depend on netmask to filter IP address blocks to access intranets, VPNs, containers, adjacent VPC instances, or LAN hosts,” Sick Codes describes.
Even if the browser recognises octal strings, if a nodejs application does not, attacks may be launched, enabling users to send malicious URLs that appear to be internal but actually lead to remote files.
“However, you don’t need a special IP address to do this; simply upload a public URL and receive local files in return. The researcher continues, “There are literally so many weaknesses created by this that it will make your head spin.”
Within days of the vulnerability being responsibly announced, the netmask kit, which is managed by Marcus Dunn, Netflix’s director of engineering, was patched.
The fix discussed how netmask interprets base-8 integers, base-16 integers, and hexadecimal input, as well as white-space situations. To counter the potential for attacks, all other packages and APIs that use netmask must be modified.