Search This Blog

Showing posts with label SSRF. Show all posts

278,000 GitHub Repositories Affected by a Critical Networking Flaw in Netmask

 

Security researchers have unearthed a critical networking flaw CVE-2021-28918 in a popular npm library netmask. Netmask is commonly utilized by tons of thousands of applications to analyze IPv4 addresses and CIDR blocks or compare them. 

Netmask usually gets over 3 million weekly downloads, and as of today, has scored over 238 million complete downloads over its lifetime. Apart from this, nearly 278,000 GitHub repositories depend on the netmask. Due to improper input validation flaw, netmask sees a different IP and this flaw could allow hackers to achieve server-side request forgery (SSRF) in downstream applications.

 Security researchers Victor Viale, Sick Codes, Nick Sahler, Kelly Kaoudis, and John Jackson were responsible for tracking down the vulnerability in the popular netmask library. The flaw was initially detected when security researchers including Codes were designing a patch for a separate, critical, SSRF flaw (CVE-2020-28360) in downstream package Private-IP, which helps in preventing personal IP addresses from communicating with an application’s internal resources.

According to a GitHub advisory published by Sick Codes, “the primary cause of the problem turned out to be Netmask’s incorrect evaluation of individual IPv4 octets that contain octal strings as left-stripped integers, leading to an inordinate attack surface on hundreds of thousands of projects that rely on Netmask to filter or evaluate IPv4 block ranges, both inbound and outbound.”

Security researchers initially discovered the flaw on March 16 and advised node js developers to examine their projects for use of Netmask and upgrade immediately if they identify the package in use. Sick Codes stated that the 30 billion nodejs packages downloaded last week were mostly installed by automated CI/CD pipelines and with no manual runtime inspections.

Olivier Poitrey, netmask developer and director of engineering at Netflix, released a series of patches [1,2,3] for the bug to GitHub, containing test cases validating that IPv4 octets with 0 prefixes are treated as octal and not decimal numbers. Earlier this month, the Perl component Net::Netmask also suffered from this bug.

Critical SSRF vulnerability in Paypal's subsidiary allows to access Internal Network

Shubham Shah, a web application pentester from Australia, has discovered a critical Server Side Request Forgery(SSRF) vulnerability in the Bill Me Later website, a subsidiary of Paypal. The vulnerability exists in the subdomain(merchants.billmelater.com).

"The vulnerability itself was found within a test bed for BillMeLater’s SOAP API, which allowed for queries to be made to any given host URL." researcher explained in his blog post.

An attacker is able to send request to any internal network through the API and get the response.  Some internal admin pages allowed him to query internal databases without asking any login credentials.

Researcher says that a successful exploitation may result in compromising the customers data.

The bug was reported to Paypal on October 2013 and he got reward from them on Jan. 2014.

Paypal has partially fixed the bug by restricting the SOAP API to access the internal servers.  However, researcher says that it still act as proxy to view other hosts.

If you would like to know more details about SSRF vulnerability and how it can be exploited for port scanning or internal network finding, you can refer the Riyaz Waliker blog post and this document.