Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

Serious Netmask vulnerability found to affect three Perl IP modules

UPDATED A trio of Perl modules are potentially vulnerable to a serious upstream security flaw in Net::Netmask, a Perl distribution used to parse, manipulate, and lookup IP network blocks.

The affected CPAN modules include Net-CIDR-Lite, used to merge IPv4 or IPv6 CIDR addresses; Net-IPAddress-Util, a version-agnostic IP address representation; and Data-Validate-IP, an IPv4 and IPv6 validator, said Perl developer Dave Rolsky in a blog post published yesterday (March 29).

Security implications

As reported by The Daily Swig, the potentially “catastrophic” security vulnerability in Netmask, an NPM package, could lead to server-side request forgery (SSRF) in downstream applications.

The nine-year old, unauthenticated flaw was remediated in Netmask v2.0, issued on March 20, although the subsequent discovery of a further flaw prompted the project maintainer to release v2.1 yesterday.

The improper input validation bug, which potentially impacts up to 279,000 GitHub projects, means that parsing an IP address with a leading zero results in Netmask seeing an entirely different IP.

Data-Validate-IP mitigation

Although Data-Validate-IP doesn’t misparse octal numbers, it could still be susceptible to the Netmask flaw “depending on exactly how your code uses this distro”, said Rolsky.

“This distribution returns false for any is_*_ipv4 method that includes an octal number,” explains Rolsky. “So both is_private_ipv4(‘010.0.0.1’) and is_public_ipv4(‘010.0.0.1’) return false.

“I updated the documentation to explicitly recommend that you always call is_ipv4() in addition to calling a method like is_private_ipv4(),” said the developer.

Rolsky also noted that Net-CIDR-Lite is currently not being maintained until a new volunteer is found.

Other CPAN modules used for working with IP addresses and netmasks – Socket, Net-DNS, NetAddr-IP, Net-Subnet, and Net-Patricia – appear to be unaffected, he added.

This article was updated on March 30 to reflect the discovery and remediation of another flaw in Netmask arising from a flawed patch.

Source: https://portswigger.net/daily-swig/serious-netmask-vulnerability-found-to-affect-three-perl-ip-modules

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

HAProxy, the popular open source load balancer and reverse proxy, has patched a bug that could enable attackers to stage HTTP request smuggling attacks. By sending a maliciously...

Cyber Security

A developer has released a new tool for Go applications that is designed to combat web-based attacks. Developer and security engineer Dwi Siswanto revealed the open...

Cyber Security

The Open Source Security Foundation (OpenSSF) recently adopted Microsoft’s Secure Supply Chain Chain Consumption Framework (S2C2F) to help reduce vulnerabilities in open source software...

Cyber Security

Reducing the carbon footprint of computing architecture could play a role not just in tackling climate change but another growing, borderless threat too –...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO