CVE-2023-31484 – Unverified TLS Certificates in CPAN.pm before 2.35 Puts Systems at Risk

Diving into the world of vulnerabilities, today we're going to discuss a security issue that has been assigned the identifier CVE-2023-31484, which affects the Perl module manager CPAN.pm. In this post, we'll cover the details of this vulnerability, the risks it poses, and practical exploitation techniques that hackers could use to leverage this weakness.

Vulnerability Background

CPAN, the Comprehensive Perl Archive Network, is a common repository for Perl modules. CPAN.pm is a Perl module that manages other Perl modules. It is present by default in almost every Perl installation and provides easy access to thousands of Perl modules hosted on CPAN.

The vulnerability in question affects versions of CPAN.pm before the 2.35 release, where it does not verify TLS (Transport Layer Security) certificates when downloading distributions over HTTPS (Hypertext Transfer Protocol Secure). This means hackers could intercept, modify, or inject malicious content into the module you are trying to download via a "man-in-the-middle" attack.

Exploit Details

To exploit this vulnerability, an attacker needs to be able to intercept the HTTPS connection between the client system and the remote CPAN server. This could be done using various techniques, such as ARP poisoning or rogue Wi-Fi hotspots.

Once the attacker is successfully intercepting the HTTPS connection, they can use tools like sslstrip to strip the SSL/TLS encryption and associate their own self-signed certificate on the connection without a valid hostname or CA chain. Since CPAN.pm does not verify TLS certificates, it will accept the connection without raising any warnings.

When CPAN.pm downloads a Perl module or distribution over this compromised HTTPS connection, the attacker can manipulate or alter the downloaded content, thus opening the door for malicious code execution, privilege escalation, or other attacks.

Here's an example of how a vulnerable CPAN.pm may download a package

$ cpan install Some::Module

This would download "Some::Module" from the CPAN repository, but without certificate verification, making it prone to attack:

https://www.cpan.org/authors/id/S/SO/SOME/Some-Module-1..tar.gz

A quick demonstration showed that CPAN.pm does not check the TLS certificate

$ perl -MCPAN -e 'install "Some::Module"'

References

The issue was originally reported to the CPAN.pm maintainers and a fix was released in version 2.35. If you are using CPAN.pm, it is advisable to update your CPAN.pm version to 2.35 or later to prevent this vulnerability from being exploited.

- Vulnerability details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31484
- CPAN.pm source repository and changes: https://github.com/andk/cpanpm
- CPAN.pm vulnerability fix changelog: https://metacpan.org/source/ANDK/CPAN-2.35/Changes#L24
- Perl CPAN documentation: https://www.cpan.org/modules/INSTALL.html

To mitigate this vulnerability and protect your systems, at least one of the following actions should be performed:

1. Update CPAN.pm to version 2.35 or later.

2. If you cannot update your CPAN.pm installation, consider manually verifying the TLS certificate by examining the certificate chain, hostname, and expiration date before installing any Perl modules via CPAN.pm.

Conclusion

In conclusion, the CVE-2023-31484 vulnerability exposes systems to potential man-in-the-middle attacks when downloading Perl distributions via CPAN.pm. It is essential to update your CPAN.pm installation or manually verify the TLS certificates to minimize the risks associated with this vulnerability. And as always, stay secure!

Timeline

Published on: 04/29/2023 00:15:00 UTC
Last modified on: 05/08/2023 17:11:00 UTC