Net::CIDR::Lite IPv4 Mapped IPv6 Address Handling Vulnerability Allowing IP ACL Bypass

A vulnerability exists in Net::CIDR::Lite for Perl, specifically in versions prior to 0.23, due to improper handling of IPv4 mapped IPv6 addresses. The issue arises because the _pack_ipv6() function incorrectly includes a sentinel byte from _pack_ipv4() when creating the packed representation of these addresses. This error results in an 18-byte value instead of the correct 17 bytes, misaligning the IPv4 portion of the address. The incorrect length leads to errors in mask operations, where a bitwise AND truncates to the shorter operand, and in the find() and bin_find() methods, which rely on Perl's string comparison. As a result, find() may incorrectly match or overlook addresses. This vulnerability is triggered by valid IPv6 addresses that are mapped from IPv4, following the RFC 4291 specification.

Impact

The vulnerability can cause IP Access Control List (ACL) bypass by misrepresenting the inclusion of addresses in specified ranges, potentially allowing unauthorized access or actions.

Reproduction

To reproduce this vulnerability, create a Net::CIDR::Lite object with an IPv4 mapped IPv6 address range, such as '::ffff:192.168.1.0/120'. Then, use the find() method to check for the presence of another IPv4 mapped address, like '::ffff:192.168.2.0'. The find() method will incorrectly return true, demonstrating the ACL bypass.

Remediation

Users can upgrade to Net::CIDR::Lite version 0.23 or later, where this vulnerability has been fixed.