Netmask’s major security vulnerability that was undiscovered for over nine years has been recently patched
Netmask’s security flaw was lying undetected for almost a decade and now this “catastrophic” security vulnerability has recently been patched. Netmask is an NPM package that has been used by over 279,000 open source projects. In a technical write-up that was published on Sunday, 28th of March, it was revealed that the vulnerability is extremely dangerous and this improper input validation flaw had a high potential to permit remote and unauthorized attackers to obtain server-side request forgery (SSRF) in downstream applications. This was informed by security researcher Sick Codes.
In order to explain the extent of popularity of Netmask, this can be highlighted that it was downloaded over three million times in a short span of a week. Researcher Sick Codes mentioned that, other than this, the “lightweight” package is made use of APIs, crypto projects, security software, and both back-end and front-end projects. He also added that the vulnerability of dependencies “depends entirely on how the project uses it.
When researchers including Sick Coder were generating a patch for a separate, critical SSRF vulnerability **CVE-2020-28360**in downstream package Private-IP, the issue emerged. This is used to prevent personal IP addresses from interacting with internal resources of the application. During the remediation process, Netmask was used particularly to aid the researchers to define IP address ranges or blocks with the use of simpler notation.
The main cause of the problem was Netmask’s wrong judgment of evaluation “of individual IPv4 octets that contain octal strings as left-stripped integers, leading to an inordinate attack surface on hundreds of thousands of projects that rely on Netmask to filter or evaluate IPv4 block ranges, both inbound and outbound”, said Codes in a security advisory. He further continued, *“There are literally so many vulnerabilities cause[d] by this that it will make your head spin”. The security researcher referred to a cloud platform having an ISO upload feature when asked for cases in which the bug might be abused to obtain SSRF. “If that cloud uses netmask, then the user might be able to submit http://0177.0.0.1:/root/.ssh/id_rsa, and instead of the application fetching the ISO, it gets the file locally, ” the researcher mentioned. This “devastating” attack “works if FTP is running”.