A flaw in a network library affects more than 270,000 applications

Sometimes a small grain of sand can do a lot of damage. Sick.codes security researchers recently found a flaw in “netmask” (CVE-2021-29418), a software module which is used by more than 270,000 projects on GitHub and which allows manipulation of IPv4 addresses in CIDR format (Classless Interdomain Routing). This is a particularly useful notation for defining and managing subnets (example: 192.168.0.4/24).

Usually, an IPv4 address is written in decimal form. But other forms are also used, such as binary, hexadecimal or octal, which may be of interest. However, the netmask software did not support the octal form. The address 0127.0.0.1 was interpreted as 127.0.0.1 (localhost), when it is actually 87.0.0.1. Confusion which, we suspect, can be fatal in many cases. “The individual who controls 87.0.0.1, someone who is in Italy and who is connected to Telecom Italia, could distribute malware to an application that uses netmask to verify that a request is local or not”

, emphasize the researchers.

Also to discover in video:

The researchers alerted the developer of netmask, who is no stranger. This is Olivier Poitrey, director of engineering at Netflix and co-founder of Dailymotion. Together, they developed a patch, available with version netmask 2.0. It is up to developers to update their projects from now on.

Source: Sick.codes

LEAVE A REPLY

Please enter your comment!
Please enter your name here