CVE-2017-20240

Vulnerability

Crypt::PBKDF2 versions before 0.261630 for Perl use Perl's built-in eq operator to compare the computed derived key with the stored key in the validate method. The eq operator stops comparison as soon as a mismatch is found, making execution time dependent on the number of matching leading bytes. This timing side channel exists in all versions prior to 0.261630 [1][2].

Exploitation

An attacker who can precisely measure the response time of password verification attempts (e.g., over a local network or via high-resolution timers) can send a series of crafted passwords and observe timing differences. By iteratively guessing each byte of the derived key and measuring the slight timing variation caused by the eq short-circuit, the attacker can recover the full derived key byte by byte. No authentication is required initially, but the attacker must be able to send many requests and accurately measure timing [3].

Impact

Successful exploitation allows the attacker to reconstruct the derived key used for PBKDF2 verification. This defeats the security of the password hashing scheme, enabling offline password cracking or direct authentication bypass against stored hashes. The compromise affects the confidentiality and integrity of any system relying on the affected library for password storage [2][3].

Mitigation

The vulnerability is fixed in version 0.261630, released on 2026-06-11, which replaces the eq comparison with a constant-time comparison function [2]. All users of Crypt::PBKDF2 should upgrade to at least this version. There is no known workaround for earlier versions. This CVE is not listed on CISA's Known Exploited Vulnerabilities catalog.