• Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects
  • Training
Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips!
  • Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects
  • Training
No Result
View All Result
Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips!
  • Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects
  • Training
No Result
View All Result
Sick Codes - Security Research, Hardware & Software Hacking, Consulting, Linux, IoT, Cloud, Embedded, Arch, Tweaks & Tips!
No Result
View All Result
Home Security

CVE-2020-28360 – private-ip npm package – Incorrect Regular Expression – Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF.

by Sick Codes
November 23, 2020 - Updated on December 31, 2020
in Security
0
CVE-2020-28360 IP Phone Home

CVE-2020-28360 IP Phone Home

CVE ID

CVE-2020-28360

CVSS Score

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Internal ID

SICK-2020-022

Vendor

private-ip Project

Product

private-ip

Product Versions:

1.0.5 and below

Vulnerability Details

Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF. An attacker can perform a large range of requests to ARIN reserved IP ranges, resulting in an indeterminable number of critical attack vectors for server-side projects using private-ip 1.0.5 and below.

The private-ip npm package is a popular server-side package which fails to filter ARIN reserved IP ranges, allowing remote attackers to request server-side resources or potentially execute arbitrary code through various SSRF techniques.

The package is a security package used to attempt to prevent remote requests from reaching internal resources. Implemented RegEx in the v1.0.5 and below insufficiently account for a wide range of variations of localhost, private IP ranges, and IP ranges that are otherwise reserved by ARIN.

Vendor Response

Patched in version 2.0.0

Credits

@johnjhacking – https://twitter.com/johnjhacking/ Application Security Engineer @Shutterstock: Initial discovery.

Harold Hunt – https://www.linkedin.com/in/huntharo/ Site Reliability Engineering @Shutterstock: Initial discovery.

@sickcodes – https://twitter.com/sickcodes/ Independent Security Researcher: Further analysis, co-authored patch & proofs of concept.

@tensor_bodega – https://twitter.com/tensor_bodega Machine Learning Engineer @Squarespace: Further analysis, co-authored patch & proofs of concept.

Disclosure Timeline

  • 2020-11-06 – Researchers at Shutterstock identify vulnerability (John Jackson & Harold Hunt).
  • 2020-11-06 – CVE Requested.
  • 2020-11-08 – CVE Assigned CVE-2020-28360.
  • 2020-11-08 – Researchers notify npm.
  • 2020-11-11 – Maintainer notified.
  • 2020-11-11 – Maintainer responds.
  • 2020-11-18 – Researcher requests update from maintainer.
  • 2020-11-18 – Maintainer asks for clarification.
  • 2020-11-18 – Researchers provide examples of usage in the wild.
  • 2020-11-19 – Maintainer provides attempted patch.
  • 2020-11-19 – Researchers invalidate patch.
  • 2020-11-19 – Additional researchers engaged to validate the vulnerability, and create PoC (Sick Codes & Nick Sahler)
  • 2020-11-19 – Additional researchers validate further, write PoC, replace regex with more comprehensive netmask package, and submit PR.
  • 2020-11-20 – Maintainer notified that PR is in.
  • 2020-11-24 – Maintainer merges PR.
  • 2020-11-24 – Researchers publishes CVE-2020-28360

References

https://www.npmjs.com/package/private-ip

https://johnjhacking.com/blog/cve-2020-28360

https://github.com/sickcodes/security/blob/master/advisories/SICK-2020-022.md

https://sick.codes/sick-2020-022

https://twitter.com/johnjhacking

https://www.linkedin.com/in/huntharo

https://twitter.com/sickcodes

https://twitter.com/tensor_bodega

CVE Links

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28360

https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28360

Mitigation

Update private-ip to version 2.0.0.

Next Post
Public Private Key PGP Message in GPG On Linux

How To Make a PGP Keypair using GPG and Communicate In Absolute Privacy (Linux/Mac) Public & Private Keys + Encrypt & Decrypt Messages

testdisk recover lost files linux server

How to Forensically Recover/Copy/Image a Disk (Including Testdisk/PhotoRec Deleted File Recovery [lost+found]), and How To Defend Your Disks.

TeamworkCloud CVE-2020-25507 Installation

CVE-2020-25507 - NoMagic (Dassault Systèmes 3DS) Teamwork Cloud 18.0-19.0 - Incorrect Permissions Assignment for a Critical Resource Allows Arbitrary Code Execution and Local Privilege Escalation to Root.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

No Result
View All Result
  • Home
  • Releases
  • Submit Vuln
  • Press
  • About
  • PGP
  • Contact
    • Contact
    • Submit Vuln
    • VDP
  • Tutorials
    • All Posts
    • Photoshop on Linux
    • macOS on Linux
  • Supporters
  • Projects
  • Training

© 2017-2021 Sick.Codes

@sickcodes

@sickcodes

@sickcodes

Discord Server

sickcodes.slack.com

t.me/sickcodeschat

./contact_form