CVE-2021-28918
Improper Input Validation vulnerability in netmask
What is CVE-2021-28918 About?
This vulnerability in the `netmask` npm package (v1.0.6 and below) is due to improper input validation of octal strings, allowing unauthenticated remote attackers to perform Server-Side Request Forgery (SSRF), Remote File Inclusion (RFI), and Local File Inclusion (LFI) attacks. It bypasses IP filters in dependent packages, enabling access to internal network hosts. Exploitation requires sending specially crafted octal strings to vulnerable applications.
Affected Software
Technical Details
The `netmask` npm package, specifically version 1.0.6 and earlier, suffers from improper input validation when processing octal strings intended to represent IP addresses or network masks. This flaw allows an unauthenticated remote attacker to craft specific octal string inputs that are misinterpreted by the `netmask` package. This misinterpretation enables attackers to bypass IP filtering mechanisms in dependent packages that rely on `netmask` for network boundary checks. Consequently, the attacker can perform Server-Side Request Forgery (SSRF), Remote File Inclusion (RFI), and Local File Inclusion (LFI) attacks, covertly accessing or requesting resources from internal VPN or LAN hosts that should be inaccessible from outside the network, effectively bypassing security controls.
What is the Impact of CVE-2021-28918?
Successful exploitation may allow attackers to bypass critical network filters, perform unauthorized server-side requests, and access or include sensitive local or remote files, leading to information disclosure or further network compromise.
What is the Exploitability of CVE-2021-28918?
Exploitation of this vulnerability involves crafting specific octal strings as input to an application that utilizes the vulnerable `netmask` package. The complexity is moderate, as it requires knowledge of how the `netmask` package handles octal strings and how to bypass common IP filtering. No authentication is required, making it an unauthenticated remote attack vector. There are no explicit privilege requirements, as the vulnerability affects input validation. Remote exploitation is highly probable if an application processes network-related input from untrusted sources, such as IP addresses or hostnames. The existence of an incomplete fix (fix in 2.0.1 for CVE-2021-29418) for a similar issue indicates that these types of bypasses are well-understood and could be attempted.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-28918?
About the Fix from Resolved Security
This patch strengthens IP address parsing by rejecting non-decimal, octal, and hexadecimal notations and strictly validating each octet, ensuring only valid dotted decimal IPv4 addresses are accepted. It fixes CVE-2021-28918 by preventing attackers from bypassing security controls using dangerous alternate IP representations, such as octal or hexadecimal encoding.
Available Upgrade Options
- netmask
- <1.1.0 → Upgrade to 1.1.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects/
- https://nvd.nist.gov/vuln/detail/CVE-2021-28918
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md
- https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications
- https://www.npmjs.com/package/netmask
- https://github.com/rs/node-netmask
- https://rootdaemon.com/2021/03/29/vulnerability-in-netmask-npm-package-affects-280000-projects
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-011.md
- https://github.com/advisories/GHSA-pch5-whg9-qr2r
- https://github.com/advisories/GHSA-pch5-whg9-qr2r
What are Similar Vulnerabilities to CVE-2021-28918?
Similar Vulnerabilities: CVE-2021-29418 , CVE-2020-13777 , CVE-2019-16781 , CVE-2018-8094 , CVE-2017-5753
