String-Compare-ConstantTime Timing Attack Vulnerability in Perl

A timing attack vulnerability has been identified in the String::Compare::ConstantTime module for Perl, affecting versions through 0.321. This vulnerability allows an attacker to infer the length of a secret string by measuring the time it takes to compare strings of differing lengths. The issue arises because the comparison function, 'equals', returns false immediately when string lengths differ, potentially leaking information about the length of the secret string without revealing its actual content.

Impact

Exploitation of this vulnerability could lead to the unintentional disclosure of the length of secret strings, creating a timing side-channel that could be exploited in conjunction with other information or vulnerabilities.

Reproduction

To reproduce this vulnerability, use the String::Compare::ConstantTime module in a Perl script. Compare a secret string with a user-supplied string of varying lengths using the 'equals' function. The comparison will reveal the length of the secret string through the time taken to evaluate the comparison, creating a timing side-channel attack vector.