UPDATED A trio of Perl modules are potentially vulnerable to a serious upstream security flaw in Net::Netmask, a Perl distribution used to parse, manipulate, and lookup IP network blocks.
The affected CPAN modules include Net-CIDR-Lite, used to merge IPv4 or IPv6 CIDR addresses; Net-IPAddress-Util, a version-agnostic IP address representation; and Data-Validate-IP, an IPv4 and IPv6 validator, said Perl developer Dave Rolsky in a blog post published yesterday (March 29).
Security implications
As reported by The Daily Swig, the potentially “catastrophic” security vulnerability in Netmask, an NPM package, could lead to server-side request forgery (SSRF) in downstream applications.
The nine-year old, unauthenticated flaw was remediated in Netmask v2.0, issued on March 20, although the subsequent discovery of a further flaw prompted the project maintainer to release v2.1 yesterday.
The improper input validation bug, which potentially impacts up to 279,000 GitHub projects, means that parsing an IP address with a leading zero results in Netmask seeing an entirely different IP.
Data-Validate-IP mitigation
Although Data-Validate-IP doesn’t misparse octal numbers, it could still be susceptible to the Netmask flaw “depending on exactly how your code uses this distro”, said Rolsky.
“This distribution returns false for any is_*_ipv4 method that includes an octal number,” explains Rolsky. “So both is_private_ipv4(‘010.0.0.1’) and is_public_ipv4(‘010.0.0.1’) return false.
“I updated the documentation to explicitly recommend that you always call is_ipv4() in addition to calling a method like is_private_ipv4(),” said the developer.
Rolsky also noted that Net-CIDR-Lite is currently not being maintained until a new volunteer is found.
Other CPAN modules used for working with IP addresses and netmasks – Socket, Net-DNS, NetAddr-IP, Net-Subnet, and Net-Patricia – appear to be unaffected, he added.
This article was updated on March 30 to reflect the discovery and remediation of another flaw in Netmask arising from a flawed patch.
