Bug 1221564 (CVE-2021-47154)

Summary: VUL-0: CVE-2021-47154: perl-Net-CIDR-Lite: leading zeroes in IPv4 octets may allow attackers to bypass certain access controls
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andrea.mattiazzo, carlos.lopez
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/397976/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-47154:6.3:(AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-03-18 09:16:55 UTC 
The Net::CIDR::Lite module before 0.22 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-47154
https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
https://www.cve.org/CVERecord?id=CVE-2021-47154
https://github.com/stigtsp/Net-CIDR-Lite/commit/23b6ff0590dc279521863a502e890ef19a5a76fc
https://metacpan.org/dist/Net-CIDR-Lite/changes
https://metacpan.org/pod/Net::CIDR::Lite
Comment 1 Carlos López 2024-03-18 09:17:51 UTC 
Affects SUSE:SLE-15-SP1:Update. Already fixed in openSUSE:Factory.
Comment 2 Pedro Monreal Gonzalez 2024-03-18 09:45:43 UTC 
Reproducer in [0]:
perl -MNet::CIDR::Lite -E 'my $c = Net::CIDR::Lite->new; $c->add("010.0.0.0/8"); 

> * Before:
>   10.0.0.0-10.255.255.255
> * After: 
>   Can't determine ip format at /usr/lib/perl5/vendor_perl/5.26.1/Net/CIDR/Lite.pm line 38.
> 	Net::CIDR::Lite::add(Net::CIDR::Lite=HASH(0x5613637c7220), "010.0.0.0/8") called at -e line 1

[0] https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
Comment 3 Pedro Monreal Gonzalez 2024-03-18 09:45:58 UTC 
Submitted here: https://build.suse.de/request/show/324220
Comment 5 Maintenance Automation 2024-04-12 12:30:01 UTC 
SUSE-SU-2024:1256-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1221564
CVE References: CVE-2021-47154
Maintenance Incident: [SUSE:Maintenance:32990](https://smelt.suse.de/incident/32990/)
Sources used:
openSUSE Leap 15.5 (src):
 perl-Net-CIDR-Lite-0.21-150100.6.3.1
Development Tools Module 15-SP5 (src):
 perl-Net-CIDR-Lite-0.21-150100.6.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.