Vulnerabilities have been identified in the Rust and Go standard libraries related to incorrect handling of IP addresses with octal digits in address parsing functions. Vulnerabilities allow bypassing valid address checks in applications, for example, to organize access to addresses of the loopback interface (127.xxx) or intranet subnets when performing SSRF (Server-side request forgery) attacks. The vulnerabilities continue the cycle of problems previously identified in the libraries node-netmask (JavaScript, CVE-2021-28918, CVE-2021-29418), private-ip (JavaScript, CVE-2020-28360), ipaddress (Python, CVE-2021-29921 ), Data::Validate::IP (Perl, CVE-2021-29662), and Net::Netmask (Perl, CVE-2021-29424).
According to the specification, string values IP addresses, leading with a zero, should be interpreted as octal numbers, but many libraries do not take this into account and simply discard the zero, treating the value as a decimal number. For example, the number 0177 in octal is equal to 127 in decimal. An attacker could request a resource using the value "0177.0.0.1," which in decimal representation is "127.0.0.1." If the affected library is used, the application will not detect that the address 0177.0.0.1 is part of the 127.0.0.1/8 subnet, but when sending a request, it may actually access the address "0177.0.0.1," which network functions will treat as 127.0.0.1. Similarly, you can bypass the intranet address check by specifying values like "012.0.0.1" (equivalent to "10.0.0.1").
In Rust, the standard library "std::net" (CVE-2021-29922) was affected. The parser of IP addresses of this library discarded zero before the values in the address, but only if no more than three digits were specified, for example, "0177.0.0.1" would be perceived as an invalid value, and an incorrect result would be returned in response to 010.8.8.8 and 127.0.026.1 . Applications that use std::net::IpAddr when parsing user-specified addresses are potentially vulnerable to SSRF (Server-side request forgery), RFI (Remote File Inclusion), and LFI (Local File Inclusion) attacks. The vulnerability has been fixed in the Rust 1.53.0 branch.
In Go, the "net" standard library is affected (CVE-2021-29923). The built-in function net.ParseCIDR skips zeros before octal numbers instead of being processed. For example, an attacker can pass the value 00000177.0.0.1, which, when checked in the net.ParseCIDR(00000177.0.0.1/24) function, will be parsed as 177.0.0.1/24, not 127.0.0.1/24. The problem also manifests itself in the Kubernetes platform. The vulnerability was fixed in the Go 1.16.3 release and 1.17 beta.
Source: opennet.ru
