Bofokoli bo amanang le ts'ebetso e fosahetseng ea liaterese tsa IP tse nang le linomoro tsa octal mesebetsing ea ho arola liaterese li khethiloe lilaebraring tse tloaelehileng tsa lipuo tsa Rust le Go. Bofokoli bo etsa hore ho khonehe ho qoba licheke bakeng sa liaterese tse nepahetseng lits'ebetsong, mohlala, ho hlophisa phihlello ea liaterese tsa loopback interface (127.xxx) kapa li-subnets tsa intranet ha ho etsoa litlhaselo tsa SSRF (Server-side request forgery). Bofokoli bo ntse bo tsoela pele le potoloho ea mathata a neng a kile a bonoa lilaebraring node-netmask (JavaScript, CVE-2021-28918, CVE-2021-29418), private-ip (JavaScript, CVE-2020-28360), ipaddress (Python, CVE- 2021-29921 ), Data::Netefatsa :: IP (Perl, CVE-2021-29662) le Net:: Netmask (Perl, CVE-2021-29424).
Ho ea ka litlhaloso, litekanyetso tsa aterese ea IP tse qalang ka zero li lokela ho hlalosoa e le linomoro tsa octal, empa lilaebrari tse ngata ha li nahane ka sena mme li lahla zero feela, li nka boleng e le palo ea decimal. Mohlala, nomoro ea 0177 ka octal e lekana le 127 ka decimal. Motho ea hlaselang a ka kopa sesebelisoa ka ho hlakisa boleng "0177.0.0.1", eo ka notation ea decimal e tsamaellanang le "127.0.0.1". Haeba laeborari e nang le mathata e sebelisoa, sesebelisoa se ke ke sa lemoha hore aterese ea 0177.0.0.1 e ho subnet 127.0.0.1/8, empa ha e le hantle, ha e romela kopo, e ka fumana aterese ea "0177.0.0.1", eo mesebetsi ea marang-rang e tla sebetsa joalo ka 127.0.0.1. Ka mokhoa o ts'oanang, o ka qhekella cheke ea phihlello ea liaterese tsa intranet ka ho hlakisa boleng bo kang "012.0.0.1" (e lekanang le "10.0.0.1").
Ho Rust, laeborari e tloaelehileng "std:: net" e anngoe ke bothata (CVE-2021-29922). Sehlahisoa sa aterese ea IP sa laeborari ena se lahlile zero pele ho boleng ba aterese, empa ha feela ho sa bolelloe linomoro tse fetang tse tharo, mohlala, "0177.0.0.1" e tla nkoa e le boleng bo sa sebetseng, le sephetho se fosahetseng. e ne e tla khutlisoa ho latela 010.8.8.8 le 127.0.026.1 . Lisebelisoa tse sebelisang std::net::IpAddr ha u sebelisa liaterese tse itseng li ka hlaseloa habonolo ke SSRF (Server-side request forgery), RFI (Remote File Inclusion) le LFI (Local File Inclusion). Kotsi e ile ea lokisoa lekaleng la Rust 1.53.0.
Ho Go, "net" ea laeborari e tloaelehileng e ameha (CVE-2021-29923). Ts'ebetso ea net.ParseCIDR e hahelletsoeng ka hare e tlola li-zero pele ho linomoro tsa octal ho fapana le ho li sebetsa. Ka mohlala, mohlaseli a ka fetisa boleng ba 00000177.0.0.1, eo, ha e hlahlojoa ho net.ParseCIDR(00000177.0.0.1/24) mosebetsi, e tla aroloa e le 177.0.0.1/24, eseng 127.0.0.1/24. Bothata bo boetse bo iponahatsa sethaleng sa Kubernetes. Kotsi e tsitsitse ho Go tokollo 1.16.3 le beta 1.17.
Source: opennet.ru