Описание
CPAN 2.28 allows Signature Verification Bypass.
A flaw was found in the way the perl-CPAN performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification.
Отчет
This vulnerability was rated as MODERATE severity because it allows an attacker to inject malicious packages into the CPAN system by bypassing signature verification, it requires the attacker to control a CPAN mirror and deceive the victim into using it, it poses a risk of installing compromised software. Within regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-347: Improper Verification of Cryptographic Signature vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low. The platform uses secure, encrypted HTTPS connections over TLS 1.2, and access to all platform resources is restricted by default. Red Hat enforces strong authentication through hard token-based multi-factor authentication (MFA), combined with least privilege principles to ensure that only authorized users and roles can execute or modify code. Internal and external certificates are established and maintained within a secure environment, and the platform enforces the use of FIPS-validated cryptographic modules across all compute resources. This reduces the risk of improper cryptographic signatures by ensuring that keys used for signature generation and verification are created with approved algorithms, securely managed, and protected against unauthorized access. Additionally, static code analysis and peer code reviews support robust input validation and error handling, reducing the likelihood of missing or improperly implemented signature validation mechanisms.
Меры по смягчению последствий
This issue can be mitigated by configuring perl-CPAN to only use trusted CPAN mirrors (www.cpan.org or cpan.metacpan.org) and use HTTPS for communication with CPAN servers. If you already have a cpan configured, the list of configured mirrors can be viewed by running the cpan command without any argument and entering the following command on the cpan command's prompt:
Ensure that the URL list only includes trusted mirrors and that https:// scheme is used for all URLs. A different set of mirrors can be configured using the following commands (these examples show how to configure one or more mirrors, only one of the commands should be used):
After changing configuration, the following command must be used to save the configuration:
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | perl | Out of support scope | ||
| Red Hat Enterprise Linux 7 | perl | Out of support scope | ||
| Red Hat Enterprise Linux 8 | perl | Not affected | ||
| Red Hat Enterprise Linux 8 | perl:5.30/perl-CPAN | Will not fix | ||
| Red Hat Enterprise Linux 8 | perl:5.32/perl-CPAN | Will not fix | ||
| Red Hat Enterprise Linux 9 | perl | Not affected | ||
| Red Hat Enterprise Linux 9 | perl-CPAN | Not affected | ||
| Red Hat Software Collections | rh-perl530-perl-CPAN | Will not fix | ||
| Red Hat Enterprise Linux 8 | perl-CPAN | Fixed | RHSA-2025:8432 | 03.06.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.8 High
CVSS3
EPSS
7.8 High
CVSS3