Executive Summary
A critical stack overflow vulnerability (CVE-2017-20230) has been disclosed in Perl's Storable module for versions before 3.05. The flaw exists in the retrieve_hook function, which stores the length of a class name into a signed integer but subsequently treats that length as unsigned during read operations. An attacker can craft malicious serialized data to trigger this integer mismatch, causing a stack overflow that can be leveraged for remote code execution.
CVSS Score: 10.0 (Critical)
Storable is a core Perl module widely used for serializing and deserializing Perl data structures. Applications that deserialize untrusted Storable data — particularly those accepting user-supplied input through file uploads, network streams, or shared storage — are directly at risk.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2017-20230 |
| CVSS Score | 10.0 (Critical) |
| Type | Stack Overflow / Remote Code Execution |
| Component | Perl Storable module — retrieve_hook() |
| Attack Vector | Network / Local (wherever untrusted data is deserialized) |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Patch Available | Yes — upgrade to Storable 3.05 or later |
Affected Products
| Product | Affected Versions | Remediation |
|---|---|---|
| Perl Storable | Before 3.05 | Upgrade to Storable 3.05+ |
Technical Analysis
Root Cause
The vulnerability originates in the retrieve_hook function within the Storable module. This function handles deserialization of blessed objects by reading the class name and its associated length. The critical flaw is an integer type mismatch:
- The length of the class name is stored into a signed integer variable.
- During subsequent read operations, the same variable is used as an unsigned integer.
- A crafted negative value in the signed representation wraps around to a very large positive value when treated as unsigned.
- This causes the code to attempt reading or writing far beyond the allocated stack buffer, resulting in a stack overflow.
Attack Flow
1. Attacker crafts malicious Storable serialized data with a manipulated class name length
2. The length value is negative when interpreted as a signed integer
3. retrieve_hook() stores the value as signed, then reads it as unsigned
4. The unsigned interpretation produces an extremely large length
5. Storable attempts to process a buffer of that inflated size
6. Stack overflow occurs, overwriting return addresses or control flow data
7. Attacker achieves arbitrary code execution in the context of the Perl processWhy This Matters
Storable is a core Perl module — it ships with Perl and is used extensively across the CPAN ecosystem for caching, session storage, IPC, and general data persistence. Applications that accept Storable-serialized data from:
- HTTP request bodies or file uploads
- Shared cache layers (memcached, Redis, file-based caches)
- Message queues processing serialized Perl objects
- Database BLOBs storing serialized Perl structures
...are all potentially exposed to exploitation if they have not upgraded to Storable 3.05 or later.
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Full code execution in the Perl process context |
| Data Exfiltration | Attacker gains access to memory and application data |
| Process Compromise | Web servers, daemons, and cron jobs using Storable are at risk |
| Privilege Escalation | If the Perl process runs as root or a privileged user, full system compromise is possible |
| Supply Chain Risk | CPAN modules using Storable for caching or IPC may propagate the vulnerability |
Remediation
Step 1: Upgrade Storable
Update Perl's Storable module to version 3.05 or later:
# Check current Storable version
perl -MStorable -e 'print "$Storable::VERSION\n"'
# Upgrade via CPAN
cpan Storable
# Or via system package manager (Debian/Ubuntu)
apt-get update && apt-get install --only-upgrade perl
# RHEL/CentOS/Fedora
yum update perlStep 2: Audit Deserialization Points
Identify all locations in your codebase where untrusted Storable data is deserialized:
# Search for Storable usage in your codebase
grep -r "Storable::retrieve\|Storable::thaw\|retrieve\b\|thaw\b" .
# Review any code accepting external input before passing to StorableStep 3: Validate Input Before Deserialization
If upgrading is not immediately possible, apply input validation to reject untrusted Storable data:
use Storable qw(retrieve thaw);
# Never deserialize data from untrusted sources without validation
# Prefer Storable::dclone for in-memory cloning of trusted data only
sub safe_thaw {
my ($data) = @_;
die "Data exceeds maximum allowed size" if length($data) > 1_000_000;
return thaw($data);
}Step 4: Apply Defense-in-Depth
# Run Perl processes under restricted user accounts
# Avoid running web servers as root
# Apply AppArmor or SELinux profiles to restrict Perl process capabilities
# Monitor for unexpected child process creation from Perl web serversDetection Indicators
| Indicator | Description |
|---|---|
| Unexpected process spawning from Perl web server processes | Possible exploitation attempt |
| Anomalous memory usage spikes in Perl daemons | Stack overflow activity |
| Crash logs containing stack corruption traces | Active exploitation or probe |
| Network connections originating from Perl processes | Post-exploitation reverse shell |
| Unusual file system writes by Perl service accounts | Post-exploitation persistence |
Post-Remediation Checklist
- Upgrade Storable to 3.05+ across all systems running affected Perl versions
- Audit all applications that deserialize Storable data from external or untrusted sources
- Review logs for signs of exploitation attempts (crash dumps, unusual process spawns)
- Apply least privilege — ensure Perl service processes run with minimal necessary OS privileges
- Scan dependencies — audit CPAN modules in use for transitive Storable dependencies
- Monitor for anomalous behavior in Perl application processes