A vulnerability in the netmask npm package could expose private networks and lead to a variety of attacks, including malware delivery.
The newly identified issue (which is tracked as CVE-2021-28918) resides in the fact that the package would incorrectly read octal encoding, essentially resulting in the misinterpretation of supplied IP addresses.
Designed to parse IPv4 CIDR blocks to allow for their comparison and exploration, netmask is highly popular, registering millions of weekly downloads. At the moment, it is used by more than 278,000 other projects.
Because of this bug, netmask would consider private IP addresses as external IP addresses and the other way around, thus opening the door to a wide range of attacks, depending on the manner in which the package is used.
Some of the possible attacks include server-side request forgery, remote file inclusion, and local file inclusion, among others, a security researcher going by the name of Sick Codes explains.
Working together with application developer and researcher Victor Viale, Sick Codes discovered that netmask is incorrectly evaluating the first octet in an IP address that starts with 0, which is in octal format, and reads it as a true decimal value.
A remote, unauthenticated attacker could leverage the vulnerability to trick an application using the flawed package into fetching malicious code from an external IP address as if it was supplied from within the local network.
“A remote authenticated or unauthenticated attacker can bypass packages that rely on netmask to filter IP address blocks to reach intranets, VPNs, containers, adjacent VPC instances, or LAN hosts using input data such as 012.0.0.1 (10.0.0.1), which netmask evaluates as 18.104.22.168 (public),” Sick Codes explains.
Even if the browser would recognize octal strings, if a nodejs application does not, attacks are possible, allowing users to users can submit malicious URLs that seem internal, yet which in reality lead to remote files.
“You don’t need a special IP address to do this though, you can simply submit a public URL and get local files back. There’s literally so many vulnerabilities caused by this that it will make your head spin,” the researcher adds.
The netmask package, which is maintained by Marcus Dunn, director of engineering at Netflix, was patched within days after the vulnerability was responsibly reported.
The fix covered the manner in which netmask interprets base-8 integers, base-16 integers, and hexadecimal input, as well as the situations where white-spaces are used. All other packages and APIs that leverage netmask need to be updated to address the potential exposure to attacks.