278,000 GitHub Repositories Affected by a Critical Networking Flaw in Netmask

 

Security researchers have unearthed a critical networking flaw CVE-2021-28918 in a popular npm library netmask. Netmask is commonly utilized by tons of thousands of applications to analyze IPv4 addresses and CIDR blocks or compare them. 

Netmask usually gets over 3 million weekly downloads, and as of today, has scored over 238 million complete downloads over its lifetime. Apart from this, nearly 278,000 GitHub repositories depend on the netmask. Due to improper input validation flaw, netmask sees a different IP and this flaw could allow hackers to achieve server-side request forgery (SSRF) in downstream applications.

 Security researchers Victor Viale, Sick Codes, Nick Sahler, Kelly Kaoudis, and John Jackson were responsible for tracking down the vulnerability in the popular netmask library. The flaw was initially detected when security researchers including Codes were designing a patch for a separate, critical, SSRF flaw (CVE-2020-28360) in downstream package Private-IP, which helps in preventing personal IP addresses from communicating with an application’s internal resources.

According to a GitHub advisory published by Sick Codes, “the primary cause of the problem turned out to be Netmask’s incorrect evaluation of individual IPv4 octets that contain octal strings as left-stripped integers, leading to an inordinate attack surface on hundreds of thousands of projects that rely on Netmask to filter or evaluate IPv4 block ranges, both inbound and outbound.”

Security researchers initially discovered the flaw on March 16 and advised node js developers to examine their projects for use of Netmask and upgrade immediately if they identify the package in use. Sick Codes stated that the 30 billion nodejs packages downloaded last week were mostly installed by automated CI/CD pipelines and with no manual runtime inspections.

Olivier Poitrey, netmask developer and director of engineering at Netflix, released a series of patches [1,2,3] for the bug to GitHub, containing test cases validating that IPv4 octets with 0 prefixes are treated as octal and not decimal numbers. Earlier this month, the Perl component Net::Netmask also suffered from this bug.