CVE-2021-29418
Access Control Bypass vulnerability in netmask
What is CVE-2021-29418 About?
This access control bypass vulnerability in the 'netmask' package for Node.js allows attackers to bypass IP-based access controls by mishandling unexpected characters in an IP address string. The impact is unauthorized access or circumvention of security policies. Exploiting this vulnerability is relatively simple with specially crafted IP strings.
Affected Software
Technical Details
The 'netmask' package before version 2.0.1 for Node.js contains an access control bypass vulnerability due to improper handling of unexpected characters in IP address strings. Specifically, it fails to correctly parse octal digits like '9' when they appear in an IP address component. This parsing error can cause the 'netmask' package to interpret an IP address incorrectly, leading to a mismatch with established access control lists (ACLs) that rely on correct IP address validation. An attacker can craft an IP address string with such malformed components, making it appear to bypass network restrictions and gain unauthorized access to resources. This issue is an incomplete fix for a previous vulnerability, CVE-2021-28918, indicating a deeper flaw in the IP parsing logic.
What is the Impact of CVE-2021-29418?
Successful exploitation may allow attackers to bypass IP-based access controls, leading to unauthorized access to restricted resources.
What is the Exploitability of CVE-2021-29418?
Exploitation of this vulnerability is of low to moderate complexity. It typically requires no authentication, as the bypass often occurs at the initial access control check. No special privileges are needed. The vulnerability can be exploited by a remote attacker simply by providing a specially crafted IP address string through an input vector that is processed by the 'netmask' package. The primary condition is that the application uses the vulnerable version of the 'netmask' package for IP-based access control and mishandles these specific unexpected characters. The likelihood of exploitation is higher in applications that rely solely on this package for IP validation without additional sanity checks on incoming IP strings.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-29418?
Available Upgrade Options
- netmask
- <2.0.1 → Upgrade to 2.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20210604-0001
- https://sick.codes/sick-2021-011
- https://nvd.nist.gov/vuln/detail/CVE-2021-29418
- https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918
- https://www.npmjs.com/package/netmask
- https://osv.dev/vulnerability/GHSA-pch5-whg9-qr2r
- https://vuln.ryotak.me/advisories/6
- https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4
- https://vuln.ryotak.me/advisories/6
- https://security.netapp.com/advisory/ntap-20210604-0001/
What are Similar Vulnerabilities to CVE-2021-29418?
Similar Vulnerabilities: CVE-2021-28918 , CVE-2020-28153 , CVE-2019-11358 , CVE-2019-16781 , CVE-2018-1000130
