IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Netmask flaw allows hackers to bypass server access controls

The vulnerability could leave thousands of networks open to server-side request forgery

Security researchers have discovered a bug in the networking npm library netmask that enables hackers to bypass servers’ access controls and launch server-side request forgery attacks.

According to researchers at Sick Codes, hundreds of thousands of applications use the package to parse or compare IPv4 addresses and Classless Inter-Domain Routing (CIDR) blocks.

The problem is extensive because over 278,000 GitHub repositories use the code, which users downloaded over three million times last week alone. Researchers said the flaw has existed for over nine years.

The problem stems from the way netmask handles mixed-format IP addresses. When parsing an IP address with a leading zero, node-netmask sees a different IP address due to incorrect in-place validation.

An IP address can be represented in various formats, including hexadecimal and integer, although the most common IPv4 addresses are expressed in decimal format. 

For example, an IPv4 address represented in decimal format as 86.136.177.134 can be expressed in an octal format as 0126.0210.0261.0206. By prefixing the IPv4 address with a 0, pressing enter or returning will change the IP address to its decimal equivalent, 87.0.0.1, which is how most applications should handle such ambiguous IP addresses.

In the case of the netmask npm library, it’ll strip and discard any leading zeros. According to the original IETF specification, portions of an IPv4 address can be interpreted as octal if preceded by a "0" prefix.

The researchers warned that anyone could submit an address in netmask that looks like a private IP, but it connects to a public IP to download malicious files.

“If your browser recognizes octal literals, but a NodeJS application does not, users can submit all kinds of malevolent URLs that seem internal, but really go to remote files.

On the other hand, users can ALSO submit URLs that seem public, but they’re actually very private!” said researchers.

While the vulnerability seems insignificant, if an attacker can interfere with the IP address input analyzed by the application, the problem could lead to various other attacks, from Server-Side Request Forgery (SSRF) to remote access.

Related Resource

Remote workforce security report

Key challenges, security threats, and investment priorities of organisations during the pandemic

remote workforce security report - whitepaper from OktaDownload now

Researchers have reported the vulnerability to node-netmask developer Olivier Poitrey, who posted a series of fixes for the GitHub repository issue. Experts recommend netmask npm library users upgrade to version 2.0.0.

Ax Sharma, a security researcher at Sonatype, told ITPro that the vulnerability means hundreds of thousands of applications that rely on popular open source components, like this one, may not realize they could be potentially vulnerable to anti-Server-Side Request Forgery (SSRF) bypasses or remote file inclusion (RFI) should they be purely relying on netmask for parsing IP addresses, without adding their own proper input sanitization and normalization checks.

“This highlights the need for proper input hygiene and never trusting input no matter the source. In this case, for example, the fixes [1, 2] applied to netmask now take into account that IP addresses can also be provided in octal or hexadecimal formats, something users of netmask could also have implemented on their end as an extra precaution,” Sharma said.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

Mastering endpoint security implementation
Security

Mastering endpoint security implementation

18 May 2022
The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Google Russia files for bankruptcy, ends operations in the country
Business operations

Google Russia files for bankruptcy, ends operations in the country

19 May 2022