• Home
  • Releases
  • Submit Vuln
  • About
  • Contact
  • HoneyPots
  • Tutorials
    • Photoshop on Linux
    • macOS on Linux
  • Home
Friday, January 15, 2021
  • Login
Sick Codes - Linux, NetSec, VPS, Arch, Debian, CentOS Tweaks & Tips!
  • Home
  • Releases
  • Submit Vuln
  • About
  • Contact
  • HoneyPots
  • Tutorials
    • Photoshop on Linux
    • macOS on Linux
  • Home
No Result
View All Result
Sick Codes - Linux, NetSec, VPS, Arch, Debian, CentOS Tweaks & Tips!
  • Home
  • Releases
  • Submit Vuln
  • About
  • Contact
  • HoneyPots
  • Tutorials
    • Photoshop on Linux
    • macOS on Linux
  • Home
No Result
View All Result
Sick Codes - Linux, NetSec, VPS, Arch, Debian, CentOS Tweaks & Tips!
No Result
View All Result
Home Security

CVE-2020-28360 – private-ip npm package – Incorrect Regular Expression – Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF.

by admin
November 23, 2020 - Updated on December 31, 2020
in Security
0 0
0
CVE-2020-28360 IP Phone Home

CVE-2020-28360 IP Phone Home

Share on FacebookShare on TwitterTelegram

CVE ID

CVE-2020-28360

CVSS Score

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Internal ID

SICK-2020-022

Vendor

private-ip Project

Product

private-ip

Product Versions:

1.0.5 and below

Vulnerability Details

Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF. An attacker can perform a large range of requests to ARIN reserved IP ranges, resulting in an indeterminable number of critical attack vectors for server-side projects using private-ip 1.0.5 and below.

The private-ip npm package is a popular server-side package which fails to filter ARIN reserved IP ranges, allowing remote attackers to request server-side resources or potentially execute arbitrary code through various SSRF techniques.

The package is a security package used to attempt to prevent remote requests from reaching internal resources. Implemented RegEx in the v1.0.5 and below insufficiently account for a wide range of variations of localhost, private IP ranges, and IP ranges that are otherwise reserved by ARIN.

Vendor Response

Patched in version 2.0.0

Credits

@johnjhacking – https://twitter.com/johnjhacking/ Application Security Engineer @Shutterstock: Initial discovery.

Harold Hunt – https://www.linkedin.com/in/huntharo/ Site Reliability Engineering @Shutterstock: Initial discovery.

@sickcodes – https://twitter.com/sickcodes/ Independent Security Researcher: Further analysis, co-authored patch & proofs of concept.

@tensor_bodega – https://twitter.com/tensor_bodega Machine Learning Engineer @Squarespace: Further analysis, co-authored patch & proofs of concept.

Disclosure Timeline

  • 2020-11-06 – Researchers at Shutterstock identify vulnerability (John Jackson & Harold Hunt).
  • 2020-11-06 – CVE Requested.
  • 2020-11-08 – CVE Assigned CVE-2020-28360.
  • 2020-11-08 – Researchers notify npm.
  • 2020-11-11 – Maintainer notified.
  • 2020-11-11 – Maintainer responds.
  • 2020-11-18 – Researcher requests update from maintainer.
  • 2020-11-18 – Maintainer asks for clarification.
  • 2020-11-18 – Researchers provide examples of usage in the wild.
  • 2020-11-19 – Maintainer provides attempted patch.
  • 2020-11-19 – Researchers invalidate patch.
  • 2020-11-19 – Additional researchers engaged to validate the vulnerability, and create PoC (Sick Codes & Nick Sahler)
  • 2020-11-19 – Additional researchers validate further, write PoC, replace regex with more comprehensive netmask package, and submit PR.
  • 2020-11-20 – Maintainer notified that PR is in.
  • 2020-11-24 – Maintainer merges PR.
  • 2020-11-24 – Researchers publishes CVE-2020-28360

References

https://www.npmjs.com/package/private-ip

https://johnjhacking.com/blog/cve-2020-28360

https://github.com/sickcodes/security/blob/master/advisories/SICK-2020-022.md

https://sick.codes/sick-2020-022

https://twitter.com/johnjhacking

https://www.linkedin.com/in/huntharo

https://twitter.com/sickcodes

https://twitter.com/tensor_bodega

CVE Links

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28360

https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28360

Mitigation

Update private-ip to version 2.0.0.

Next Post
Public Private Key PGP Message in GPG On Linux

How To Make a PGP Keypair using GPG and Communicate In Absolute Privacy (Linux/Mac) Public & Private Keys + Encrypt & Decrypt Messages

testdisk recover lost files linux server

How to Forensically Recover/Copy/Image a Disk (Including Testdisk/PhotoRec Deleted File Recovery [lost+found]), and How To Defend Your Disks.

TeamworkCloud CVE-2020-25507 Installation

CVE-2020-25507 - NoMagic (Dassault Systèmes 3DS) Teamwork Cloud 18.0-19.0 - Incorrect Permissions Assignment for a Critical Resource Allows Arbitrary Code Execution and Local Privilege Escalation to Root.

Leave a Reply Cancel reply

Your email address will not be published.

No Result
View All Result
  • Home
  • Releases
  • Submit Vuln
  • About
  • Contact
  • HoneyPots
  • Tutorials
    • Photoshop on Linux
    • macOS on Linux
  • Home

© 2017-2020 Sick.Codes

Welcome Back!

Login to your account below

Forgotten Password?

Create New Account!

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In