Bug 2035273 (CVE-2020-16156)

Summary: CVE-2020-16156 perl-CPAN: Bypass of verification of signatures in CHECKSUMS files
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: caswilli, hhorak, jorton, jplesnik, kaycoth, mspacek, perl-devel, perl-maint-list, ppisar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: perl-CPAN 2.29 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the perl-CPAN performed verification of package signatures stored in CHECKSUMS files. A malicious or compromised CPAN server used by a user, or a man-in-the-middle attacker, could use this flaw to bypass signature verification.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2035274, 2037211, 2038304, 2038305, 2038306, 2038307    
Bug Blocks: 2035276    

Description Marian Rehak 2021-12-23 12:51:33 UTC
It was found that cpan and cpanm are vulnerable to a signature verification bypass. Additionally, CPAN::Checksums (used by PAUSE) does not uniquely identify packages in the signed CHECKSUMS file, enabling a supply chain attack.

Reference:

https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/

Comment 1 Marian Rehak 2021-12-23 12:51:47 UTC
Created perl-CPAN tracking bugs for this issue:

Affects: fedora-all [bug 2035274]

Comment 2 Tomas Hoger 2022-01-05 09:13:20 UTC
The report covers two separate methods to bypass verification of signatures stored in CHECKSUMS files:

1) The first problem is an implementation error found in both perl-CPAN / CPAN.pm and perl-App-cpanminus modules.  Those modules did not correctly handle return value of Module::Signature::_verify() and handled CANNOT_VERIFY error return value as equivalent to SIGNATURE_OK return value, i.e. assuming that signature was correctly verified while verification failed or could not have been performed.  In perl-CPAN, this problem was fixed in the following commit applied in version 2.29:

https://github.com/andk/cpanpm/commit/b27c51adf0fda25dee84cb72cb2b1bf7d832148c

2) The second problem is related to the design of the CHECKSUMS file format. The file only contained file names inside of the CPAN author's directory, without indicating in any way which author the CHECKSUMS file is for.  As all CHECKSUMS files get signed by the same PAUSE ([Perl programming] Authors Upload Server) key, a CHECKSUMS file generated for one author could be used in a directory for a different author without clients being able to detect that.  This problem was fixed by extending CHECKSUMS file format to introduce an additional attribute cpan_path that indicates which author directory the CHECKSUMS file is for.  perl-CPAN was enhanced to check this attribute via this commit also applied in version 2.29:

https://github.com/andk/cpanpm/commit/bcbf6d608e48d25306ecfd273118b4d6ba1c5df6

Related CVE-2020-16155 was assigned for the CPAN::Checksums module that is used to generate CHECKSUMS files.  The CVE covers the lack of information to indicate specific CPAN author directory in CHECKSUMS files.

Both of these issues could be exploited by malicious or compromised mirrors if used by users, or a man-in-the-middle attacker in case plain text HTTP connection was used to download packages instead of using encrypted HTTPS.  The exploitation of the second vulnerability additionally requires attacker to have a valid CPAN author account to be able to get malicious CHECKSUMS file to be generated and signed by CPAN / PAUSE.  Therefore, a recommended mitigation is to only configure CPAN clients to download packages from trusted CPAN mirrors (www.cpan.org and cpan.metacpan.org) and always use HTTPS.

Note that both CPAN.pm and cpanminus defaulted to not checking signatures in the CHECKSUMS file unless explicitly configured to do so.  Therefore, this issue was not relevant to users using the default configuration that did not enable signature verification.

Additional details about these issues can be found in the following blog post:

http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html

Comment 4 Tomas Hoger 2022-01-05 15:06:19 UTC
Note that the Module::Signature module that is used by both perl-CPAN and perl-App-cpanminus to perform verification of signatures from the CHECKSUMS files is not shipped with Red Hat Enterprise Linux 8.  It is shipped with Red Hat Enterprise Linux 7, but is not installed as a dependency when installing perl-CPAN, it is only required by perl-App-cpanminus.

When Module::Signature is not installed, both cpan and cpanm skip signature verification and continue with package installation without verification even when configured to performed verification (using check_sigs configuration option for cpan, or --verify command line option for cpanm).

Comment 5 Tomas Hoger 2022-01-05 20:12:37 UTC
There is another fix needed to properly fix the first attack vector in addition to the commit already linked in comment 2 above:

https://github.com/andk/cpanpm/commit/46fe910becd5746adca92e18660567c9e8d37eb5
https://github.com/andk/cpanpm/commit/7f9e5e8c52f535c1c13e177595a5ef4710c72058
https://github.com/andk/cpanpm/commit/c03257dbebccd4deeff1987d5efd98113643f717

These commits are also included in 2.29.

Comment 9 Tomas Hoger 2022-01-10 09:57:25 UTC
The mitigation recommended by upstream is to ensure that users are only using trusted CPAN mirrors (www.cpan.org or cpan.metacpan.org) and always use HTTPS when downloading packages.  If you already have a cpan configured, the list of configured mirrors can be viewed by running the `cpan` command without any argument and entering the following command on the cpan command's prompt:

  o conf urllist

Ensure that the URL list only includes trusted mirrors and that https:// scheme is used for all URLs.  A different set of mirrors can be configured using the following commands (these examples show how to configure one or more mirrors, only one of the commands should be used):

  o conf urllist https://www.cpan.org
  o conf urllist https://www.cpan.org https://cpan.metacpan.org

After changing configuration, the following command must be used to save the configuration:

  o conf commit

Comment 10 Tomas Hoger 2022-01-12 21:27:05 UTC
Two additional small corrective fixes amending fixes linked from comment 5 above:

https://github.com/andk/cpanpm/commit/7d4d5e32bcd9b75f7bf70a395938a48ca4a06d25
https://github.com/andk/cpanpm/commit/89b13baf1d46e4fb10023af30ef305efec4fd603

These are not included in version 2.29.