CVE-2024-4032: ipaddress Module's Incorrect Classification of IPv4 and IPv6 Addresses as "Globally Reachable" or "Private"

The "ipaddress" module in Python 3.12.4 and 3.13.a6 is affected by an information misclassification issue related to incorrect information about whether certain IPv4 and IPv6 addresses were designated as "globally reachable" or "private." This vulnerability could lead to a variety of security risks, including unauthorized access and private data exposure.

Introduction

In Python's "ipaddress" module, there are certain properties in the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes that determine if an IP address is globally reachable (public) or private. The "is_private" and "is_global" properties are particularly useful in network programming, as they help developers create correct access controls, encryption, and other critical security measures.

Unfortunately, recent findings show that these properties contain incorrect information from the IANA (Internet Assigned Numbers Authority) Special-Purpose Address Registries. As a result, the "ipaddress" module in Python 3.12.4 and 3.13.a6 incorrectly classifies certain IPv4 and IPv6 addresses, potentially leading to security risks and data leaks.

Exploit Details

To better understand the scope of the vulnerability, it is essential to examine a code snippet that demonstrates the incorrect classification of IP addresses:

import ipaddress

ipv4_address = ipaddress.IPv4Address('192..2.1')
ipv6_address = ipaddress.IPv6Address('2001:db8::1')

print(f"IPv4 address {ipv4_address} is private: {ipv4_address.is_private}")
print(f"IPv6 address {ipv6_address} is global: {ipv6_address.is_global}")

In this example, the "ipaddress" module erroneously classifies the IPv4 address 192..2.1 as private and the IPv6 address 2001:db8::1 as global. In reality, the IPv4 address should be considered public, and the IPv6 address should be considered private.

In order to maintain up-to-date and accurate information regarding IP address classifications, Python 3.12.4 and 3.13.a6 now contain updated information from the IANA Special-Purpose Address Registries. By updating the "ipaddress" module in these newer Python versions, developers can accurately classify IPv4 and IPv6 addresses when using the "is_private" and "is_global" properties.

Original References

This issue was initially reported by Marcel Raad in the Python bug tracker (refer to the documentation found at https://bugs.python.org/issue43565). The Python development team subsequently addressed the vulnerability by updating the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network class properties in Python 3.12.4 and 3.13.a6. More information about the IANA Special-Purpose Address Registries can be found in IANA's official documentation and IANA's IPv6 Special-Purpose Address Registry.

Recommendation

It is highly recommended for developers to update their Python projects to Python 3.12.4 or 3.13.a6 to receive the updated "ipaddress" module. This update will ensure correct IP address classification in the "is_private" and "is_global" properties and reduce the risk of security vulnerabilities and private data exposure due to incorrect IP address classification.

Timeline

Published on: 06/17/2024 15:15:52 UTC
Last modified on: 08/29/2024 21:35:11 UTC