Net::CIDR Leading Zero Handling Vulnerability in Perl

A vulnerability exists in Net::CIDR versions prior to 0.24 for Perl, where leading zeros in IP CIDR addresses are mishandled. This issue can lead to unintended consequences, such as bypassing access controls based on IP addresses. The functions 'addr2cidr' and 'cidrlookup' are affected, as they may introduce leading zeros that subsequent users could misinterpret as octal numbers. Although the documentation recommends validating untrusted CIDR strings with the 'cidrvalidate' function, this guidance is optional and not enforced by default. As a result, users may inadvertently use 'addr2cidr' or 'cidrlookup' with untrusted input without proper validation, assuming it is safe.

Impact

Exploitation of this vulnerability could allow an attacker to bypass IP-based access controls.

Reproduction

The vulnerability can be reproduced by using Net::CIDR version 0.23 or earlier. First, call the 'addr2cidr' function with an IP address that includes a leading zero, such as '010.0.0.1'. The function will return CIDR strings that preserve the leading zeros. Next, use the 'cidrlookup' function to check if a private IP address, like '10.0.0.1', is considered part of a range that includes the manipulated address. The lookup will return a positive result, demonstrating how the leading zero can be exploited to bypass access controls.

Remediation

Users can upgrade to Net::CIDR version 0.25 or later, which addresses the vulnerability by removing extra leading zeros from octets. After updating, it's important to review the use of the 'cidrvalidate' function to ensure proper validation of CIDR strings.