Vulnerabilities have been identified in the Rust and Go standard libraries related to incorrect handling of IP addresses with octal digits in address parsing functions. Vulnerabilities allow bypassing valid address checks in applications, for example, to organize access to addresses of the loopback interface (127.xxx) or intranet subnets when performing SSRF (Server-side request forgery) attacks. The vulnerabilities continue the cycle of problems previously identified in the libraries node-netmask (JavaScript, CVE-2021-28918, CVE-2021-29418), private-ip (JavaScript, CVE-2020-28360), ipaddress (Python, CVE-2021-29921 ), Data::Validate::IP (Perl, CVE-2021-29662), and Net::Netmask (Perl, CVE-2021-29424).
According to the specification, string values ββof IP addresses starting with zero should be interpreted as octal numbers, but many libraries do not take this into account and simply discard zero, treating the value as a decimal number. For example, the number 0177 in octal is equal to 127 in decimal. An attacker can request a resource by specifying the value "0177.0.0.1", which in decimal representation corresponds to "127.0.0.1". In the case of using the problematic library, the application will not detect the occurrence of the address 0177.0.0.1 in the subnet 127.0.0.1/8, but in fact, when sending a request, it can access the address "0177.0.0.1", which the network functions will process as 127.0.0.1. Similarly, it is possible to fool checking for access to intranet addresses by specifying values ββlike "012.0.0.1" (equivalent to "10.0.0.1").
In Rust, the standard library "std::net" (CVE-2021-29922) was affected. The parser of IP addresses of this library discarded zero before the values ββin the address, but only if no more than three digits were specified, for example, "0177.0.0.1" would be perceived as an invalid value, and an incorrect result would be returned in response to 010.8.8.8 and 127.0.026.1 . Applications that use std::net::IpAddr when parsing user-specified addresses are potentially vulnerable to SSRF (Server-side request forgery), RFI (Remote File Inclusion), and LFI (Local File Inclusion) attacks. The vulnerability has been fixed in the Rust 1.53.0 branch.
In Go, the "net" standard library is affected (CVE-2021-29923). The built-in function net.ParseCIDR skips zeros before octal numbers instead of being processed. For example, an attacker can pass the value 00000177.0.0.1, which, when checked in the net.ParseCIDR(00000177.0.0.1/24) function, will be parsed as 177.0.0.1/24, not 127.0.0.1/24. The problem also manifests itself in the Kubernetes platform. The vulnerability was fixed in the Go 1.16.3 release and 1.17 beta.
Source: opennet.ru