The “net” library commonly used in the Go and Rust languages is also affected by the mixed-format IP address validation vulnerability.
The bug has to do with how report treats IP addresses as decimal, even when provided in a mixed (octal-decimal) format.
Therefore, applications based on report Could be vulnerable to undetermined server-side request forgery (SSRF) and remote file inclusion (RFI) vulnerabilities.
Previously, the flaw affected various implementations of the netmask library, which relied on thousands of nominations.
Later Python standard library called IP adress was also found to be vulnerable to the flaw.
The leading zero changes the IP address
The vulnerability, tracked by CVE-2021-29922 (for Rust) and CVE-2021-29923 (for Golang) relates to how report handles IP addresses of mixed formats, or more precisely when a decimal IPv4 address contains a leading zero.
A simple search for “import neton GitHub reveals more 4 million files to go alone leaning on the report library.
An IP address can be represented in a variety of formats, including hexadecimal and integer, although the most common IPv4 addresses are expressed in decimal format.
For example, BleepingComputer’s IPv4 address represented in decimal format is 126.96.36.199, but the same can be expressed in octal format as 0150.0024.0073.0321.
Suppose you receive an IP address in decimal format, 127.0.0.1, which is widely understood as the local loopback address or localhost.
If you were to prefix it with a 0, would an application still have to parse 0127.0.0.1 as 127.0.0.1 or something else?
Try this in your web browser. In BleepingComputer’s tests, typing 0127.0.0.1/ in Chrome’s address bar causes the browser to treat it as an IP address in octal format.
Pressing Enter or Return actually changes the IP address to its decimal equivalent of 188.8.131.52, which is how most applications are supposed to handle such ambiguous IP addresses.
Of particular note is the fact that 127.0.0.1 is not a public IP address but a loopback address, however, its ambiguous representation turns it into a public IP address leading to a completely different host.
But, in the case of the report library, all leading zeros would just be stripped and removed.
According to an IETF project (which expired before it could be formalized in a specification), parts of an IPv4 address can be interpreted as octal if preceded by a “0”.
Thus, the rules for parsing an IPv4 address in mixed format vary from one application to another.
Therefore, if a developer used report to validate if an IP address belongs to a certain range (e.g. parsing a list of IP addresses against an access control list (ACL)), the result may be wrong for octal representations of addresses IPv4.
This can lead to undetermined server-side request forgery (SSRF) and remote file inclusion (RFI) vulnerabilities in applications.
Several applications and languages impacted
Go and Rust are not the only languages impacted by this bug.
This mixed-format IP address validation bug had previously impacted Python IP adress library (CVE-2021-29921), netmask implementations (CVE-2021-28918, CVE-2021-29418) and similar libraries.
In most cases, the bug was categorized as High or Critical severity:
Oracle S1446698 NEW
— Sick.Codes (@sickcodes) August 7, 2021
Disease codes shared some ideas with BleepingComputer:
“The Go vulnerability has a little less impact than rust because it only deals with CIDR blocks.”
“However, it was important enough for Kubernetes to choose the fix.”**
“Overall, since these were standard library changes that would affect all projects written in the language themselves, they needed a lot of testing or making patches redundant,” Disease codes told BleepingComputer in an email interview.
For Rust, a to fix has already been merged into the report library, as confirmed by BleepingComputer:
Rust language users should use version 1.53.0 or higher which contains mitigations for this vulnerability.
Update 12:30 PM ET: Clarified that the linked IETF draft had expired and as such was never made official.
**Correction, August 8, 2:10 AM ET: Kubernetes has not implemented the fix, but inverted instead, to avoid breaking builds unexpectedly.