Sometimes a small grain of sand can do a lot of damage. Sick.codes security researchers recently found a flaw in “netmask” (CVE-2021-29418), a software module which is used by more than 270,000 projects on GitHub and which allows manipulation of IPv4 addresses in CIDR format (Classless Interdomain Routing). This is a particularly useful notation for defining and managing subnets (example: 192.168.0.4/24).
Usually, an IPv4 address is written in decimal form. But other forms are also used, such as binary, hexadecimal or octal, which may be of interest. However, the netmask software did not support the octal form. The address 0127.0.0.1 was interpreted as 127.0.0.1 (localhost), when it is actually 184.108.40.206. Confusion which, we suspect, can be fatal in many cases. “The individual who controls 220.127.116.11, someone who is in Italy and who is connected to Telecom Italia, could distribute malware to an application that uses netmask to verify that a request is local or not”
Also to discover in video:
The researchers alerted the developer of netmask, who is no stranger. This is Olivier Poitrey, director of engineering at Netflix and co-founder of Dailymotion. Together, they developed a patch, available with version netmask 2.0. It is up to developers to update their projects from now on.