Net::CIDR::Lite IPv6 Address Validation Vulnerability Allowing IP ACL Bypass

A vulnerability exists in Net::CIDR::Lite for Perl, specifically in versions prior to 0.23, due to improper validation of uncompressed IPv6 addresses. The function '_pack_ipv6()' accepts invalid inputs that lack the required eight hex groups, such as 'abcd', '1:2:3', or '1:2:3:4:5:6:7'. This flaw leads to incorrect packed values of varying lengths, which disrupts internal mask and comparison operations. The 'find()' and 'bin_find()' methods, which rely on Perl's string comparison, can produce erroneous results by misreporting whether an address falls within a range. This issue is similar to a previously addressed vulnerability regarding IPv4 addresses with leading zeros.

Impact

Exploitation of this vulnerability can cause the 'find()' method to incorrectly identify an address as being within or outside a specified range, leading to potential IP ACL bypass.

Reproduction

To reproduce this vulnerability, create a new Net::CIDR::Lite object with an IPv6 CIDR range that includes invalid uncompressed addresses. Then, use the 'find()' method to check for the presence of an address that should be considered outside the range. The method will incorrectly return true, indicating a false positive match.

Remediation

Users are advised to update to Net::CIDR::Lite version 0.23 or later, where this vulnerability has been addressed.