{"id":2772,"date":"2021-08-07T21:27:19","date_gmt":"2021-08-07T15:57:19","guid":{"rendered":"https:\/\/xiarch.com\/blog\/?p=2772"},"modified":"2021-08-07T21:27:22","modified_gmt":"2021-08-07T15:57:22","slug":"how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability","status":"publish","type":"post","link":"https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/","title":{"rendered":"How Go and Rust \u201cnet\u201d library Impacted by Sensitive IP Address Validation Vulnerability?"},"content":{"rendered":"\n
The frequently used \u201cnet\u201d library in Go and Rust languages is also harmed by the mixed-format IP address validation vulnerability. The flaw has do not with how net treats IP addresses as decimal, even when they are given in a mixed (octal-decimal) format.<\/p><\/p>\n\n\n\n
Therefore, applications relying on the net could be vulnerable to indeterminate Server-Side Request Forgery (SSRF) and Remote File Inclusion (RFI) vulnerabilities. Moreover, the error affected various implementations of the netmask library, depended on thousands of applications.<\/p><\/p>\n\n\n\n
Later on, the Python standard library called IP address was also discovered to be vulnerable to the flaw.<\/p><\/p>\n\n\n\n
Well-known Zero changes the IP address<\/strong><\/h2>\n\n\n\n
This week, at DEF CON, security investigators Cheng Xu, Victor Viale, Sick Codes, Nick Sahler, Kelly Kaoudis, open note, and John Jackson have revealed an error in the net module of Go and Rust languages.<\/p><\/p>\n\n\n\n
The vulnerability, tracked by CVE-2021-29922 (for Rust) and CVE-2021-29923 (for Golang) issues on how net handles mixed-format IP addresses, or more specifically when a decimal IPv4 address includes a leading zero.<\/p><\/p>\n\n\n\n
A simple search for \u201cimport net\u201d on GitHub announced over 4 million files for Go alone relying on the net library.<\/p><\/p>\n\n\n\n
An IP address can be represented in several formats, including hexadecimal and integer, however, most commonly seen IPv4 addresses are expressed in the decimal format.<\/p><\/p>\n\n\n\n
For example, our IPv4 addresses represented in decimal format is 104.20.59.209, but the same can be expressed in the octal format as, 0150.0024.0073.0321.<\/p><\/p>\n\n\n\n
Like you are given an IP address in decimal format, 127.0.0.1, which is most widely understood as the local loopback address or localhost.<\/p><\/p>\n\n\n\n
If one wants to prefix a 0 to it, should an application still parse 0127.0.0.1 as 127.0.0.1 or something else? <\/p><\/p>\n\n\n\n
You should try this in your web browser. In a test by our experts, typing 0127.0.0.1\/ in Chrome\u2019s address bar has the browser treating it as an IP in octal format.<\/p><\/p>\n\n\n\n
On pressing enter or return, the IP changes to its decimal equivalent of 87.0.0.1, which is how most applications are supposed to manage such uncertain IP addresses.<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
On a particular note is a fact, 127.0.0.1 is not a public IP address but a loopback address, however, its uncertain representation changes it to a public IP address leading to a different host altogether.<\/p><\/p>\n\n\n\n
In the cases of the net library, any leading zeros would simply be stripped and discarded.<\/p><\/p>\n\n\n\n
Therefore, if a developer was using net to validate if an IP address belongs to a certain range (e.g. parsing a list of IPs against an access control list (ACL)), the result may come across for octal-based representations of IPv4 addresses.<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
Multiple Applications and Languages Harmed<\/strong><\/h2>\n\n\n\n
Go and Rust is not the only languages to be harmed by this flaw.<\/p><\/p>\n\n\n\n
This mixed-format IP address validation flaw had previously harmed Python\u2019s IP address library (CVE-2021-29921), netmask implementations (CVE-2021-28918, CVE-2021-29418), and similar libraries.<\/p><\/p>\n\n\n\n
In most of the cases, the flaw has been rated as having a High or sensitive severity:<\/p><\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
As per the project maintainers, Golang\u2019s net module would have patch (1,2) issues in (beta) version 1.17.<\/p><\/p>\n\n\n\n
\u201cAll in all, since they were standard library changes that would harm all the projects written in the language themselves, they required a lot of testing or for the patches to be made redundant,\u201d Sick Codes told our experts in an email interview.<\/p><\/p>\n\n\n\n
Rust language users should be using a version of 1.53.0 or above that includes the mitigation for this vulnerability. <\/p><\/p>\n","protected":false},"excerpt":{"rendered":"
The frequently used \u201cnet\u201d library in Go and Rust languages is also harmed by the mixed-format IP address validation vulnerability. The flaw has do not with how net treats IP addresses as decimal, even when they are given in a mixed (octal-decimal) format. Therefore, applications relying on the net could be vulnerable to indeterminate Server-Side […]<\/p>\n","protected":false},"author":2,"featured_media":2779,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"yoast_head":"\n
How Go and Rust \u201cnet\u201d library Impacted by Sensitive IP Address Validation Vulnerability? - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How Go and Rust \u201cnet\u201d library Impacted by Sensitive IP Address Validation Vulnerability? - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"The frequently used \u201cnet\u201d library in Go and Rust languages is also harmed by the mixed-format IP address validation vulnerability. The flaw has do not with how net treats IP addresses as decimal, even when they are given in a mixed (octal-decimal) format. Therefore, applications relying on the net could be vulnerable to indeterminate Server-Side […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-08-07T15:57:19+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-08-07T15:57:22+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/08\/How-Rust-net-library-Impacted-by-Sensitive-IP-Address-Validation-Vulnerability-featured-image-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"How Go and Rust \u201cnet\u201d library Impacted by Sensitive IP Address Validation Vulnerability?\",\"datePublished\":\"2021-08-07T15:57:19+00:00\",\"dateModified\":\"2021-08-07T15:57:22+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/\"},\"wordCount\":580,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Vulnerabilities\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/\",\"url\":\"https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/\",\"name\":\"How Go and Rust \u201cnet\u201d library Impacted by Sensitive IP Address Validation Vulnerability? - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-08-07T15:57:19+00:00\",\"dateModified\":\"2021-08-07T15:57:22+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How Go and Rust \u201cnet\u201d library Impacted by Sensitive IP Address Validation Vulnerability?\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How Go and Rust \u201cnet\u201d library Impacted by Sensitive IP Address Validation Vulnerability? - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/","og_locale":"en_US","og_type":"article","og_title":"How Go and Rust \u201cnet\u201d library Impacted by Sensitive IP Address Validation Vulnerability? - Xiarch Solutions Private Limited","og_description":"The frequently used \u201cnet\u201d library in Go and Rust languages is also harmed by the mixed-format IP address validation vulnerability. The flaw has do not with how net treats IP addresses as decimal, even when they are given in a mixed (octal-decimal) format. Therefore, applications relying on the net could be vulnerable to indeterminate Server-Side […]","og_url":"https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-08-07T15:57:19+00:00","article_modified_time":"2021-08-07T15:57:22+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/08\/How-Rust-net-library-Impacted-by-Sensitive-IP-Address-Validation-Vulnerability-featured-image-1.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"How Go and Rust \u201cnet\u201d library Impacted by Sensitive IP Address Validation Vulnerability?","datePublished":"2021-08-07T15:57:19+00:00","dateModified":"2021-08-07T15:57:22+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/"},"wordCount":580,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Vulnerabilities"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/","url":"https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/","name":"How Go and Rust \u201cnet\u201d library Impacted by Sensitive IP Address Validation Vulnerability? - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-08-07T15:57:19+00:00","dateModified":"2021-08-07T15:57:22+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/how-go-and-rust-net-library-impacted-by-sensitive-ip-address-validation-vulnerability\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"How Go and Rust \u201cnet\u201d library Impacted by Sensitive IP Address Validation Vulnerability?"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2772"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=2772"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2772\/revisions"}],"predecessor-version":[{"id":2780,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2772\/revisions\/2780"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/2779"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=2772"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=2772"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=2772"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/08\/How-Rust-net-library-Impacted-by-Sensitive-IP-Address-Validation-Vulnerability-image1-1024x443.jpg\")
<\/figure><\/div>\n\n\n\n![\"How-Rust-\u201cnet\u201d-library-Impacted-by-Sensitive-IP-Address-Validation-Vulnerability-image2\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/08\/How-Rust-net-library-Impacted-by-Sensitive-IP-Address-Validation-Vulnerability-image2-1024x948.jpg\")
<\/figure><\/div>\n\n\n\n![\"How-Rust-\u201cnet\u201d-library-Impacted-by-Sensitive-IP-Address-Validation-Vulnerability-image3\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/08\/How-Rust-net-library-Impacted-by-Sensitive-IP-Address-Validation-Vulnerability-image3-1024x933.jpg\")
<\/figure><\/div>\n\n\n\n