SUSE Support

Here When You Need Us

Security Vulnerability: CVE-2020-16156 perl CPAN module signature bypass

This document (000020691) is provided subject to the disclaimer at the end of this document.

Environment

For a comprehensive list of affected products please review the SUSE CVE announcement .

Situation

Independent security researcher identified a flaw in perl allowing an attacker to craft malicious perl modules, which signature will not be verified when installed by a victim.

Valid attack scenarios can be:

         * a victim installs an attacker-crafted perl module on a malicious or compromised mirror
         * an attacker performs Man-in-the-Middle attack to provide a malicious module to the victim, instead of the trusted one.

The vulnerability affects all SLES 12 and 15 perl packages.

Moreover, the module signature verification is performed by the perl-Module-Signature package, not shipped in SLE. Therefore, when a user downloads a CPAN module, no matter the mirror, the module signature is never verified.

Resolution

To address this vulnerability, and the absence of perl-Module-Signature, only trusted mirrors are allowed, such as
https://www.cpan.org and https://cpan.metacpan.org. Please use the following command in the CPAN shell to verify:

conf urllist


To add the official trusted mirrors, please use one of the two following commands:

conf urllist https://www.cpan.org
conf urllist https://www.cpan.org https://cpan.metacpan.org


Please note that HTTPS should be used only and not HTTP. HTTPS ensures the identify of the mirror, preventing Man-in-the-Middle attack. Even though the signature of perl modules will not be verified due to the absence of perl-Module-Signature, the identify of the trusted server will be verified.

Finally, the new configuration needs to be saved:

conf commit

Status

Security Alert

Additional Information

References:

https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/
https://www.suse.com/security/cve/CVE-2020-16156.html

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020691
  • Creation Date: 08-Jul-2022
  • Modified Date:08-Jul-2022
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Server
    • SUSE Linux Enterprise Server for SAP Applications
    • SUSE Manager Server
    • SUSE Linux Enterprise Micro
    • SUSE Linux Enterprise HPC

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center