Concerns Raised Over Perl Security Flaw

Dyad Security Inc. on Wednesday posted an advisory about a potentiallyserious flaw in the open-source scripting language Perl but somesecurity experts say they find the vulnerability unlikely.

Dyad’s warning regards a vulnerability that could be exploited tolaunch a DOS (denial of service) attack. But Dyad also said that thevulnerability could be used by an attacker to access a server and thenlaunch a malicious application.

Researchers at other security firms have tried to test the vulnerability but have only been able to confirm the DOS potential.

Thomas Kristensen, Secunia’s chief technology officer, and his teamtested the vulnerability on many versions of Perl and didn’t find thepotential for an attacker to launch malicious code. “While we don’trule out that there is a possibility that it could be exploited more,we need more details to see if it’s true,” he said. “It’s difficult tosay that we tested the right version.” The original Dyad advisorydoesn’t specify which version of Perl contains the vulnerability. Inaddition, the vulnerability might only be present when certainapplications use Perl in a specific way, Kristensen said.

Kristensen also pointed to a posting from HD Moore, a well-knownsecurity expert and one of the founders of security firm DigitalDefense Inc., to the Full-disclosure security mailing list. Moore alsotested the vulnerability, though on just one version of Perl, andwasn’t able to exploit it.

There are two applications that are known to be susceptible to the DOSvulnerability and they have changed the way that they use Perl toprevent it, said Kristensen. “As far as we know, there’s no update forPerl at the moment,” he said. The applications are Webmin, a Web-basedadministration tool for configuring certain operating systems, andUsermin, a stripped-down version of Webmin.

By Nancy Gohring – IDG News Service (Dublin Bureau)