Critical CVE-2024-45321 Flaw in Popular Perl Module Installer cpanminus, No Patch Available

by do son · August 28, 2024

In a significant security advisory, the Perl community has been alerted to a critical vulnerability, CVE-2024-45321, affecting the widely-used App::cpanminus (cpanm) tool. Rated with a CVSS score of 9.8, this vulnerability poses a severe risk for users of cpanminus due to its default configuration, which utilizes unsecured HTTP connections for downloading and installing Perl modules from CPAN.

CVE-2024-45321 exposes users to a CWE-494 weakness, specifically the “Download of Code Without Integrity Check.” This means that, in its default state, cpanminus does not verify the integrity of the code it downloads. Without the protection of HTTPS, this leaves the door wide open for network attackers to intercept and modify the code during transmission, potentially executing malicious code on the user’s system.

Given cpanminus’s popularity as a lightweight and faster alternative to the official CPAN client, the impact of this vulnerability could be widespread. The insecure default configuration could lead to numerous systems being compromised, especially in environments where cpanminus is used to manage Perl modules.

While an official patch is yet to be released, users are strongly urged to take immediate steps to mitigate the risk. Three primary options are available:

Option 1: Set a HTTPS mirror Configure cpanminus to use a secure HTTPS mirror using the --from command-line argument or by setting the PERL_CPANM_OPT environment variable: export PERL_CPANM_OPT=”–from https://www.cpan.org”. However, be aware that this option disables support for downloading older releases from BackPan and development (TRIAL) releases, which may be a consideration for some users.
Option 2: Patch the cpanm executable For those needing to retain access to BackPan and TRIAL releases, patching the cpanm executable to replace all HTTP endpoints with HTTPS is a viable option. This can be achieved with the following Perl one-liner:
```
$ perl -pi -E 's{http://(www\.cpan\.org|backpan\.perl\.org|cpan\.metacpan\.org|fastapi\.metacpan\.org|cpanmetadb\.plackperl\.org)}{https://$1}g' /path/to/cpanm
```
This approach allows you to continue using cpanminus as before, while ensuring all module downloads are securely transmitted over HTTPS.
Option 3: Use an alternative client Switch to alternative Perl module installers like CPAN.pm (cpan) 2.35 or later, or App::cpm (cpm), which prioritize secure HTTPS connections by default.