CVE-2018-18311
9.8 CRITICAL
📋 TL;DR
This vulnerability is a buffer overflow in Perl's regular expression engine that allows attackers to execute arbitrary code or cause denial of service. It affects systems running vulnerable Perl versions that process untrusted regular expressions. Any application using Perl to evaluate user-supplied regex patterns is at risk.
💻 Affected Systems
Products:
- Perl
Versions: Perl versions before 5.26.3 and 5.28.x before 5.28.1
Operating Systems: All operating systems running vulnerable Perl versions
Default Config Vulnerable:
⚠️ Yes
Notes: Any Perl script that uses regular expressions with untrusted input is vulnerable. This includes web applications, system administration scripts, and data processing tools.
📦 What is this software?
E Series Santricity Os Controller by Netapp
Fedora by Fedoraproject
Perl by Perl
Perl by Perl
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Denial of service through application crashes or system instability when processing malicious regex patterns.
If Mitigated
Limited impact if input validation prevents untrusted regex patterns from reaching Perl's regex engine.
🌐 Internet-Facing: HIGH - Web applications using Perl CGI scripts or Perl-based APIs that accept regex input from users are directly exposed.
🏢 Internal Only: MEDIUM - Internal systems using Perl scripts for data processing could be exploited by authenticated users or through other attack vectors.
🎯 Exploit Status
Public PoC:
⚠️ Yes
Weaponized:
LIKELY
Unauthenticated Exploit:
⚠️ Yes
Complexity:
LOW
The vulnerability is in the core regex engine, making exploitation straightforward once a malicious regex pattern is delivered. Public PoC exists in disclosure references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Perl 5.26.3 or 5.28.1 and later
Vendor Advisory: https://access.redhat.com/errata/RHSA-2019:0001
Restart Required: No
Instructions:
1. Update Perl using your system package manager (yum update perl, apt-get upgrade perl). 2. For custom Perl installations, download and compile from perl.org. 3. Verify the update with 'perl -v'.
🔧 Temporary Workarounds
Input Validation for Regex Patterns
allSanitize and validate all user-supplied regular expression patterns before processing.
Implement regex pattern whitelisting or length/syntax validation in application code
Disable Regex Processing for Untrusted Input
allAvoid using Perl's regex engine on untrusted data where possible.
Use alternative string matching methods or escape regex metacharacters
🧯 If You Can't Patch
- Implement strict input validation to block malicious regex patterns
- Isolate Perl applications in containers or VMs with limited permissions
🔍 How to Verify
Check if Vulnerable:
Run 'perl -v' and check if version is before 5.26.3 or between 5.28.0 and 5.28.0Check Version:
perl -v | head -2Verify Fix Applied:
Confirm 'perl -v' shows 5.26.3+ or 5.28.1+📡 Detection & Monitoring
Log Indicators:
- Perl process crashes with segmentation faults
- Unusual regex patterns in application logs
- High CPU usage from Perl processes
Network Indicators:
- HTTP requests containing complex regex patterns to Perl-based endpoints
- Unexpected outbound connections from Perl processes
SIEM Query:
process_name:perl AND (event_type:crash OR cpu_usage:>90)🔗 References
- http://seclists.org/fulldisclosure/2019/Mar/49
- http://www.securityfocus.com/bid/106145
- http://www.securitytracker.com/id/1042181
- https://access.redhat.com/errata/RHBA-2019:0327
- https://access.redhat.com/errata/RHSA-2019:0001
- https://access.redhat.com/errata/RHSA-2019:0010
- https://access.redhat.com/errata/RHSA-2019:0109
- https://access.redhat.com/errata/RHSA-2019:1790
- https://access.redhat.com/errata/RHSA-2019:1942
- https://access.redhat.com/errata/RHSA-2019:2400
- https://bugzilla.redhat.com/show_bug.cgi?id=1646730
- https://github.com/Perl/perl5/commit/34716e2a6ee2af96078d62b065b7785c001194be
- https://kc.mcafee.com/corporate/index?page=content&id=SB10278
- https://lists.debian.org/debian-lts-announce/2018/11/msg00039.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
- https://metacpan.org/changes/release/SHAY/perl-5.26.3
- https://metacpan.org/changes/release/SHAY/perl-5.28.1
- https://rt.perl.org/Ticket/Display.html?id=133204
- https://seclists.org/bugtraq/2019/Mar/42
- https://security.gentoo.org/glsa/201909-01
- https://security.netapp.com/advisory/ntap-20190221-0003/
- https://support.apple.com/kb/HT209600
- https://usn.ubuntu.com/3834-1/
- https://usn.ubuntu.com/3834-2/
- https://www.debian.org/security/2018/dsa-4347
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- http://seclists.org/fulldisclosure/2019/Mar/49
- http://www.securityfocus.com/bid/106145
- http://www.securitytracker.com/id/1042181
- https://access.redhat.com/errata/RHBA-2019:0327
- https://access.redhat.com/errata/RHSA-2019:0001
- https://access.redhat.com/errata/RHSA-2019:0010
- https://access.redhat.com/errata/RHSA-2019:0109
- https://access.redhat.com/errata/RHSA-2019:1790
- https://access.redhat.com/errata/RHSA-2019:1942
- https://access.redhat.com/errata/RHSA-2019:2400
- https://bugzilla.redhat.com/show_bug.cgi?id=1646730
- https://github.com/Perl/perl5/commit/34716e2a6ee2af96078d62b065b7785c001194be
- https://kc.mcafee.com/corporate/index?page=content&id=SB10278
- https://lists.debian.org/debian-lts-announce/2018/11/msg00039.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RWQGEB543QN7SSBRKYJM6PSOC3RLYGSM/
- https://metacpan.org/changes/release/SHAY/perl-5.26.3
- https://metacpan.org/changes/release/SHAY/perl-5.28.1
- https://rt.perl.org/Ticket/Display.html?id=133204
- https://seclists.org/bugtraq/2019/Mar/42
- https://security.gentoo.org/glsa/201909-01
- https://security.netapp.com/advisory/ntap-20190221-0003/
- https://support.apple.com/kb/HT209600
- https://usn.ubuntu.com/3834-1/
- https://usn.ubuntu.com/3834-2/
- https://www.debian.org/security/2018/dsa-4347
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
