Описание
CPAN 2.28 allows Signature Verification Bypass.
A flaw was found in the way the perl-CPAN performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification.
Отчет
This vulnerability is assigned a Moderate Severity rating primarily because of the multistep nature of the attack and the efficacy of environmental security controls. The underlying issue is a serious software flaw, designated as CWE 347: Improper Verification of Cryptographic Signature, which means the system fails to correctly verify the digital authenticity of installation packages, potentially allowing an attacker to insert malicious software into the $\text{CPAN}$ repository. However, successfully exploiting this flaw requires a complex attack chain: the adversary must first gain control of a legitimate $\text{CPAN}$ distribution mirror and then actively deceive a targeted user into initiating an install from that compromised source, which necessitates User Interaction. Although the potential impact of a successful attack is high (leading to a complete compromise of the victim's data and system integrity), the severity is downgraded to Moderate in secure, regulated environments. This is because mandatory defenses such as enforcing secure $\text{HTTPS/TLS}$ connections, implementing Multi Factor Authentication ($\text{MFA}$), adhering to $\text{least privilege}$ access principles, and mandating the use of $\text{FIPS}$ validated cryptographic modules create robust, layered barriers that significantly increase the difficulty of both the required initial compromise and the necessary social engineering of a protected user, thus lowering the overall practical risk.
Меры по смягчению последствий
This issue can be mitigated by configuring perl-CPAN to only use trusted CPAN mirrors (www.cpan.org or cpan.metacpan.org) and use HTTPS for communication with CPAN servers. If you already have a cpan configured, the list of configured mirrors can be viewed by running the cpan command without any argument and entering the following command on the cpan command's prompt:
Ensure that the URL list only includes trusted mirrors and that https:// scheme is used for all URLs. A different set of mirrors can be configured using the following commands (these examples show how to configure one or more mirrors, only one of the commands should be used):
After changing configuration, the following command must be used to save the configuration:
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | perl | Out of support scope | ||
| Red Hat Enterprise Linux 7 | perl | Out of support scope | ||
| Red Hat Enterprise Linux 8 | perl | Not affected | ||
| Red Hat Enterprise Linux 8 | perl:5.30/perl-CPAN | Will not fix | ||
| Red Hat Enterprise Linux 8 | perl:5.32/perl-CPAN | Will not fix | ||
| Red Hat Enterprise Linux 9 | perl | Not affected | ||
| Red Hat Enterprise Linux 9 | perl-CPAN | Not affected | ||
| Red Hat Software Collections | rh-perl530-perl-CPAN | Will not fix | ||
| Red Hat Enterprise Linux 8 | perl-CPAN | Fixed | RHSA-2025:8432 | 03.06.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.8 High
CVSS3
EPSS
7.8 High
CVSS3