Perl's HTTP::Tiny has insecure TLS default, affecting CPAN.pm and other modules

15/04/23 — sgo

[CVE-2023-31486] HTTP::Tiny, is a http client included in Perl (since v5.13.9) and also a standalone CPAN module. It does not verify TLS certificates by default requiring users to opt-in with the verify_SSL=>1 flag to verify the identity of the HTTPS server they are communicating with.

The module is used by many distributions on CPAN, and likely other open source and proprietary software.

NOTE: This post summarizes security problems caused by the insecure default and how it affects code relying on it for https. For a discussion on how this is being addressed upstream, please see RFC: Making SSL_verify safer

Affected CPAN Modules

After PSA: HTTP::Tiny disabled SSL verification by default! was posted on Reddit, we were reminded that this might be a bigger problem than first thought.

So we searched trough metacpan-cpan-extracted to find distributions using HTTP::Tiny without specifying the cert verification behaviour. Distros using it without mentioning verify_SSL somewhere in the code was flagged. See hackeriet.github.io/cpan-http-tiny-overview for the full list.

Most distributions we found did not enable the certificate verification feature, potentially exposing users to machine-in-the-middle attacks via a CWE-295: Improper Certificate Validation weakness.

… and more. We have done a search of CPAN and generated a list of 381 potentially problematic distributions.

Mitigations

Upstream for HTTP::Tiny has not provided a patch or mitigation. Suggestions to change the insecure default has been turned down several times over the years due to backwards compatibility concerns. For additional information, please see the upstream discussion in RFC: Making SSL_verify safer.

To mitigate the risk caused by the CWE-1188: Insecure Default Initialization of Resource weakness, you have some options:

  • Modify affected code using HTTP::Tiny and set verify_SSL=>1.

  • Modify affected code to use a http client with secure defaults, like Mojo::UserAgent or LWP::UserAgent.

  • Patch HTTP::Tiny on your system with a proposed patch that changes the default to verify_SSL=>1.

Changes

  • 2023-04-18: Add reference to fixed CPAN.pm v2.35-TRIAL
  • 2023-04-29: Add CVE identifiers CVE-2023-31484, CVE-2023-31485, CVE-2023-31486