Net::IP::LPM Leading Zero Vulnerability in IP CIDR Parsing Allows Access Control Bypass

A vulnerability exists in Net::IP::LPM version 1.10 for Perl, where the module improperly handles leading zeroes in IP CIDR notation. This mismanagement can enable attackers to circumvent access controls that rely on IP addresses. The issue arises because leading zeroes are interpreted as octal values, potentially misleading users who intend to use decimal notation. The vulnerability could be exploited by crafting IP addresses with leading zeroes to manipulate access control mechanisms.

Impact

Exploitation of this vulnerability could lead to unauthorized access by bypassing IP-based access controls, allowing attackers to gain access to resources or functionalities that should be restricted.

Reproduction

To reproduce this vulnerability, use Net::IP::LPM version 1.10 and input an IP address in CIDR format with a leading zero, such as '010.0.0.1'. The module will misinterpret the address, treating it as '8.0.0.1' instead of '10.0.0.1'. This misinterpretation can be verified by using the 'ping' command, which will show the address as '8.0.0.1'.

Remediation

Net::IP::LPM version 1.10 has been patched to address this vulnerability. Users should upgrade to this version.