Iphakethe le-node-netmask NPM, elinokulandwa okucishe kube yizigidi ezi-3 ngesonto futhi lisetshenziswa njengokuncika kumaphrojekthi angaphezu kwezinkulungwane ezingama-270 ku-GitHub, lisengozini (CVE-2021-28918) elivumela ukuthi lidlule amasheke asebenzisa imaski ukunquma isenzeko sokubhekana nobubanzi noma ukuhlunga. Inkinga ilungisiwe ekukhishweni kwe-node-netmask 2.0.0.
Ukuba sengozini kwenza kube nokwenzeka ukuphatha ikheli le-IP langaphandle njengekheli elisuka kunethiwekhi yangaphakathi futhi okuphambene nalokho, kanye nengqondo ethile yokusebenzisa imojula ye-node-netmask kuhlelo lokusebenza ukwenza i-SSRF (i-Server-side application forgery), i-RFI. (Ukufakwa Kwefayela Elikude) kanye nokuhlaselwa kwe-LFI (Ukufakwa Kwefayela Lendawo) ) ukuze ufinyelele izinsiza kunethiwekhi yangaphakathi futhi uhlanganise amafayela angaphandle noma endawo ochungechungeni lokusayinda. Inkinga ukuthi ngokuya ngokucaciswa, amanani ochungechunge lwekheli aqala ngoziro kufanele ahunyushwe njengezinombolo ze-octal, kodwa imojuli ye-node-netmask ayikunaki lokhu futhi iwaphatha njengezinombolo zamadesimali.
Isibonelo, umhlaseli angacela insiza yendawo ngokucacisa inani elithi "0177.0.0.1", elihambisana ne-"127.0.0.1", kodwa imojuli ye-"node-netmask" izolahla i-null, futhi iphathe 0177.0.0.1″ ngokuthi " 177.0.0.1", okuthi esicelweni lapho kuhlolwa imithetho yokufinyelela, kungeke kwenzeke ukunquma ubunikazi obuthi “127.0.0.1”. Ngokufanayo, umhlaseli angacacisa ikheli elithi “0127.0.0.1”, okufanele lifane nokuthi “87.0.0.1”, kodwa lizophathwa ngokuthi “127.0.0.1” kumojula “ye-node-netmask”. Ngokufanayo, ungakwazi ukukopela isheke ukuze uthole amakheli e-intranethi ngokucacisa amanani anjengokuthi “012.0.0.1” (alingana no-“10.0.0.1”, kodwa azocutshungulwa njengo-12.0.0.1 ngesikhathi sokuhlola).
Abacwaningi abahlonze inkinga babiza le nkinga njengenhlekelele futhi bahlinzeka ngezimo ezimbalwa zokuhlasela, kodwa eziningi zazo zibukeka sengathi ziyaqagela. Isibonelo, ikhuluma mayelana nokwenzeka kokuhlasela uhlelo lokusebenza olusekelwe ku-Node.js olusungula uxhumano lwangaphandle ukuze ucele insiza ngokusekelwe kumingcele noma idatha yesicelo sokufaka, kodwa uhlelo lokusebenza alunagama ngokuqondile noma imininingwane. Ngisho noma uthola izinhlelo zokusebenza ezilayisha izinsiza ezisuselwe kumakheli e-IP afakiwe, akucaci kahle ukuthi ubungozi bungasetshenziswa kanjani ngaphandle kokuxhuma kunethiwekhi yendawo noma ngaphandle kokulawula amakheli e-IP "esibukweni".
Abacwaningi bacabanga kuphela ukuthi abanikazi be-87.0.0.1 (Telecom Italia) kanye ne-0177.0.0.1 (Brasil Telecom) bayakwazi ukweqa umkhawulo wokufinyelela ku-127.0.0.1. Isimo esinengqondo kakhulu esokuxhaphaza ubungozi bokudlula uhlu oluhlukile lwebhulokhi yohlangothi lohlelo lokusebenza. Inkinga ingase futhi isetshenziswe ekwabelaneni ngencazelo yobubanzi be-intranethi kumojula ye-NPM "private-ip".
Source: opennet.ru