Security Vulnerability: CVE-2020-16156 perl CPAN module signature bypass
This document (000020691) is provided subject to the disclaimer at the end of this document.
Valid attack scenarios can be:
* a victim installs an attacker-crafted perl module on a malicious or compromised mirror
* an attacker performs Man-in-the-Middle attack to provide a malicious module to the victim, instead of the trusted one.
The vulnerability affects all SLES 12 and 15 perl packages.
Moreover, the module signature verification is performed by the perl-Module-Signature package, not shipped in SLE. Therefore, when a user downloads a CPAN module, no matter the mirror, the module signature is never verified.
To address this vulnerability, and the absence of perl-Module-Signature, only trusted mirrors are allowed, such as
https://www.cpan.org and https://cpan.metacpan.org. Please use the following command in the CPAN shell to verify:
To add the official trusted mirrors, please use one of the two following commands:
conf urllist https://www.cpan.org conf urllist https://www.cpan.org https://cpan.metacpan.org
Please note that HTTPS should be used only and not HTTP. HTTPS ensures the identify of the mirror, preventing Man-in-the-Middle attack. Even though the signature of perl modules will not be verified due to the absence of perl-Module-Signature, the identify of the trusted server will be verified.
Finally, the new configuration needs to be saved:
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020691
- Creation Date: 08-Jul-2022
- Modified Date:08-Jul-2022
- SUSE Linux Enterprise Desktop
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
- SUSE Manager Server
- SUSE Linux Enterprise Micro
- SUSE Linux Enterprise HPC
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com