Executive Summary

CVE-2021-4456 is a vulnerability in the Perl module Net::CIDR versions before 0.24, where the functions addr2cidr and cidrlookup mishandle IP CIDR addresses that contain leading zeros in their octets.

Specifically, these functions may return CIDR strings with leading zeros, which can be interpreted as octal numbers by other software components. This misinterpretation can cause incorrect IP address parsing.

An attacker could exploit this behavior to bypass access controls that rely on IP address matching, by crafting IP addresses with leading zeros that are parsed differently than intended.

Although the module provides a cidrvalidate function to validate untrusted CIDR strings, this validation is optional and not enforced by default, leading to potential misuse.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to bypass IP-based access controls or security filters that rely on CIDR address parsing.

If your system uses Net::CIDR functions like addr2cidr or cidrlookup on untrusted input without proper validation, attackers might craft IP addresses with leading zeros that are interpreted differently, potentially granting unauthorized access.

This could lead to unauthorized network access, exposure of sensitive resources, or other security breaches depending on how IP address filtering is used in your environment.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves mishandling of leading zeros in IP CIDR addresses by the Net::CIDR Perl module, which may cause incorrect IP address parsing and potential bypass of access controls.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you should check if your Perl environment uses Net::CIDR versions before 0.24.'}, {'type': 'paragraph', 'content': 'You can verify the installed version of Net::CIDR with the following command:'}, {'type': 'list_item', 'content': 'perl -MNet::CIDR -e \'print $Net::CIDR::VERSION, "\\n"\''}, {'type': 'paragraph', 'content': 'If the version is older than 0.24, your system is potentially vulnerable.'}, {'type': 'paragraph', 'content': "Additionally, you can test if the functions addr2cidr or cidrlookup return CIDR strings with leading zeros by running a Perl script that calls these functions with IP addresses containing leading zeros, for example '010.0.0.1'."}, {'type': 'list_item', 'content': 'perl -MNet::CIDR -e \'use Data::Dumper; print Dumper(Net::CIDR::addr2cidr("010.0.0.1"));\''}, {'type': 'paragraph', 'content': 'If the output contains octets with leading zeros, the vulnerability is present.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the Net::CIDR Perl module to version 0.24 or later, where the vulnerability has been fixed by stripping leading zeros from IP address octets in the addr2cidr function.

If upgrading is not immediately possible, ensure that any untrusted CIDR strings are validated using the cidrvalidate() function before being processed by addr2cidr or cidrlookup, as recommended in the documentation.

This validation step helps prevent attackers from exploiting leading zero octets to bypass access controls.

Review your code to avoid calling addr2cidr or cidrlookup with untrusted input without prior validation.

Useful 0 Not Useful 0