Cov pob node-netmask NPM, uas muaj txog 3 lab rub tawm ib lub lim tiam thiab siv los ua kev vam khom rau ntau dua 270 txhiab qhov haujlwm ntawm GitHub, muaj qhov tsis zoo (CVE-2021-28918) uas tso cai rau nws hla dhau cov tshev uas siv netmask. los txiav txim qhov tshwm sim rau qhov chaw nyob lossis rau kev lim dej. Qhov teeb meem yog kho nyob rau hauv kev tso tawm ntawm node-netmask 2.0.0.
Qhov tsis zoo ua rau nws tuaj yeem kho tus IP chaw nyob sab nraud raws li qhov chaw nyob los ntawm lub network sab hauv thiab rov ua dua, thiab nrog qee qhov kev xav ntawm kev siv cov node-netmask module hauv daim ntawv thov kom ua tiav SSRF (Server-side thov yuam kev), RFI (Cov Chaw Taws Teeb Cov Ntaub Ntawv suav nrog) thiab LFI (Local File Inclusion) tawm tsam ) txhawm rau nkag mus rau cov peev txheej hauv lub network sab hauv thiab suav nrog cov ntaub ntawv sab nraud lossis hauv zos hauv cov saw hlau tua. Qhov teeb meem yog tias raws li cov lus qhia tshwj xeeb, qhov chaw nyob tus nqi pib nrog xoom yuav tsum tau txhais raws li tus lej octal, tab sis cov node-netmask module tsis suav qhov no rau hauv tus account thiab kho lawv li tus lej lej.
Piv txwv li, tus neeg tawm tsam tuaj yeem thov cov peev txheej hauv zos los ntawm kev qhia tus nqi "0177.0.0.1", uas sib haum rau "127.0.0.1", tab sis "node-netmask" module yuav muab pov tseg, thiab kho 0177.0.0.1 "raws li " 177.0.0.1", uas nyob rau hauv daim ntawv thov thaum ntsuam xyuas cov cai nkag, nws yuav tsis muaj peev xwm txiav txim seb tus kheej nrog "127.0.0.1". Ib yam li ntawd, tus neeg tawm tsam tuaj yeem qhia qhov chaw nyob "0127.0.0.1", uas yuav tsum zoo ib yam rau "87.0.0.1", tab sis yuav raug kho raws li "127.0.0.1" hauv "node-netmask" module. Ib yam li ntawd, koj tuaj yeem dag daim tshev rau kev nkag mus rau intranet chaw nyob los ntawm kev qhia qhov tseem ceeb xws li "012.0.0.1" (sib npaug rau "10.0.0.1", tab sis yuav ua tiav li 12.0.0.1 thaum kos).
Cov kws tshawb fawb uas txheeb xyuas qhov teeb meem hu qhov teeb meem kev puas tsuaj thiab muab ob peb qhov xwm txheej tawm tsam, tab sis lawv feem ntau saib kev xav. Piv txwv li, nws hais txog qhov muaj peev xwm ntawm kev tawm tsam Node.js-raws li daim ntawv thov uas tsim kev sib txuas sab nraud los thov cov peev txheej raws li qhov tsis muaj lossis cov ntaub ntawv ntawm kev thov nkag, tab sis daim ntawv thov tsis muaj npe tshwj xeeb lossis nthuav dav. Txawm hais tias koj pom cov ntawv thov uas thauj cov peev txheej raws li nkag mus rau IP chaw nyob, nws tsis meej meej tias qhov kev pheej hmoo tuaj yeem siv tau li cas hauv kev xyaum yam tsis tau txuas rau lub network hauv zos lossis tsis tau txais kev tswj hwm ntawm "daim iav" IP chaw nyob.
Cov kws tshawb fawb tsuas yog xav tias cov tswv ntawm 87.0.0.1 (Telecom Italia) thiab 0177.0.0.1 (Brasil Telecom) muaj peev xwm hla kev txwv kev nkag mus rau 127.0.0.1. Qhov xwm txheej muaj tseeb dua yog siv qhov tsis zoo los hla ntau daim ntawv thov-sab thaiv cov npe. Qhov teeb meem kuj tuaj yeem siv los sib qhia cov ntsiab lus ntawm intranet ntau yam hauv NPM module "private-ip".
Tau qhov twg los: opennet.ru