Kunshin NPM na node-netmask, wanda ke da kusan abubuwan zazzagewa miliyan 3 a kowane mako kuma ana amfani da shi azaman dogaro kan ayyukan sama da dubu 270 akan GitHub, yana da rauni (CVE-2021-28918) wanda ke ba shi damar ketare abubuwan binciken da ke amfani da netmask. don sanin abin da ya faru don magance jeri ko don tacewa. An daidaita batun a cikin sakin node-netmask 2.0.0.
Rashin lahani yana ba da damar yin amfani da adireshin IP na waje azaman adireshi daga cibiyar sadarwa na ciki da kuma akasin haka, kuma tare da wasu dabaru na amfani da tsarin node-netmask a cikin aikace-aikacen don aiwatar da SSRF (Buƙatar Sabis na jabu), RFI (Haɗin Fayil mai nisa) da LFI (Haɗin Fayil na Gida) hare-hare) don samun damar albarkatu akan hanyar sadarwa na ciki kuma sun haɗa da fayilolin waje ko na gida a cikin sarkar aiwatarwa. Matsalar ita ce bisa ga ƙayyadaddun bayanai, ƙimar kirtani na adireshi da ke farawa da sifili yakamata a fassara su azaman lambobi octal, amma tsarin node-netmask ba ya la'akari da wannan kuma yana ɗaukar su azaman lambobi.
Misali, maharin zai iya neman albarkatun gida ta hanyar tantance darajar "0177.0.0.1", wanda yayi daidai da "127.0.0.1", amma tsarin "node-netmask" zai watsar da null, kuma ya dauki 0177.0.0.1" a matsayin " 177.0.0.1", wanda a cikin aikace-aikacen lokacin da ake kimanta ka'idodin samun dama, ba zai yiwu a ƙayyade ainihin tare da "127.0.0.1". Hakazalika, mai hari zai iya ƙayyade adireshin "0127.0.0.1", wanda ya kamata ya zama daidai da "87.0.0.1", amma za a kula da shi a matsayin "127.0.0.1" a cikin "node-netmask" module. Hakazalika, zaku iya yaudarar rajistan shiga adiresoshin intranet ta hanyar ƙididdige ƙimar kamar "012.0.0.1" (daidai da "10.0.0.1", amma za a sarrafa shi azaman 12.0.0.1 yayin rajistan).
Masu binciken da suka gano matsalar sun kira matsalar bala'i kuma sun ba da yanayin hari da yawa, amma yawancinsu suna kallon hasashe. Misali, yana magana game da yuwuwar kai hari kan aikace-aikacen tushen Node.js wanda ke kafa haɗin kai na waje don neman albarkatu bisa ma'auni ko bayanan buƙatun shigar, amma aikace-aikacen ba takamaiman suna ko dalla-dalla ba. Ko da kun sami aikace-aikacen da ke ɗaukar albarkatu dangane da adiresoshin IP da aka shigar, ba a bayyana gaba ɗaya ba yadda za a iya yin amfani da raunin a aikace ba tare da haɗawa zuwa cibiyar sadarwar gida ba ko kuma ba tare da samun ikon adiresoshin IP na "duba".
Masu binciken kawai sun ɗauka cewa masu 87.0.0.1 (Telecom Italia) da 0177.0.0.1 (Brasil Telecom) suna iya ketare ƙuntatawa zuwa 127.0.0.1. Wani ingantaccen yanayin shine a yi amfani da rashin lahani don ƙetare jerin toshe-ɓangarorin aikace-aikace daban-daban. Hakanan za'a iya amfani da batun don raba ma'anar jeri na intranet a cikin tsarin NPM "private-ip".
source: budenet.ru