We’ve seeing so many software supply chain attacks in recent weeks that it’s hard for us to talk about all of them. But, in the last 24 hours, we’ve seen two major issues that are important for everyone to take notice of:
- A critical improper input validation vulnerability in the npm component “netmask”
- PHP’s Git server was hacked in a sophisticated supply chain attack.
First, let’s discuss netmask. Yesterday evening, I broke the news on a critical improper input validation vulnerability that had been lurking in a popular npm component.
Assigned CVE-2021-28918, the flaw concerns the netmask component that gets over 3 million weekly downloads on npm, and is a dependency for almost 280,000 GitHub repositories.
The flaw itself stemmed from netmask treating octal IP addresses as decimal. More specifically, if an IP address started with “0,” the zero would simply be discarded by netmask rather than the component considering the possibility of the IP having been provided in a different (octal) format.
Although IPv4 addresses are most commonly expressed in decimal form, an IP address can be written in a different format too, including hexadecimal and integer.
For example, your localhost or loopback address 127.0.0.1 is the same as writing “2130706433” or “0177.0.0.1.”
Applications interacting with networks, including your web browser, account for this and for example, typing 2130706433/ in your web browser’s address bar will quickly resolve to and go to its decimal equivalent, which is 127.0.0.1.
However, what should happen if you prefixed a zero to what looked like an IPv4 address?
0127.0.0.1 (notice the prefixed zero) is actually not the same as 127.0.0.1, but a different IP address 87.0.0.1 expressed in octal format.
