Table of Contents
  • Home
  • /
  • Blog
  • /
  • How To Fix Command Injection Vulnerabilities In OpenSSL In Just 5 Minutes
June 27, 2022

How To Fix Command Injection Vulnerabilities In OpenSSL In Just 5 Minutes

How To Fix Command Injection Vulnerabilities In Openss Cve 2022 1292 Cve 2022 2068

We are going to talk about a couple of vulnerabilities in OpenSSL that allow attackers to carry out command injection attacks on the system on which vulnerable versions of OpenSSL are installed. The first flaw has been tracking with the CVE ID CVE-2022-1292 and calculated the CVSS score of 9.8, which is considered critical as per the CVSSv3 scoring system. The second flaw has been tracking with the CVE ID CVE-2022-2068. CVSS score hasn’t been calculated yet to publish. Since both the flaws target the same c_rehash script in OpenSSL and create the same impact. We can presume that both vulnerabilities are critical. Since these flaws allow attackers to perform command injection attacks using these OpenSSL flaws, it is important to learn how to fix Command Injection Vulnerabilities in OpenSSL.

Before we jump in to know how to fix Command Injection Vulnerabilities in OpenSSL, it is important to know about the c_rehash script in OpenSSL.

c_rehash Script In OpenSS:

c_rehash is a script that comes with OpenSSL. It is used to manage the symbolic links that are used to store certificates and other files required by SSL applications. c_rehash will scan a directory and create symbolic links for all of the certificates and other files it finds there. This makes it possible for SSL applications to find the files they need without having to know the exact location of each file. c_rehash can be run manually, or it can be called automatically by OpenSSL when it is needed. If you are using a version of OpenSSL that does not include c_rehash, you can download it from as well.

Summary Of CVE-2022-1292:

This vulnerability actually persists in the c_rehash script. The flaw is due to improper sanitization of metacharacters that were used to prevent command injection. However, this improper sanitation will create problems in the operating systems on which the script will get automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.

Associated CVE IDCVE-2022-1292
DescriptionA Command Injection Vulnerability in OpenSSL
Associated ZDI ID
CVSS Score9.8 Critical
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)None
User Interaction (UI)None
Confidentiality (C)High
Integrity (I)High
availability (a)High

Summary Of CVE-2022-2068:

The command injection vulnerability identified as CVE-2022-1292 has been identified again after the fix. This happened because the flaw CVE-2022-1292 failed to fix completely. There are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. So we can say that the flaw CVE-2022-2068 is an extension of the above one.

OpenSSL Versions Vulnerable To CVE-2022-1292 And CVE-2022-2068:

Official OpenSSL advisory of both the vulnerabilities says that these flaws affect OpenSSL versions 1.0.2, 1.1.1, and 3.0. OpenSSL version 1.1.0 was not officially tested to declare as vulnerable since it has reached the end of life and no longer be supported and released patches.

Affected versions of OpenSSL:

  • 1.0.2

  • 1.1.1

  • 3.0

We recommend checking the version of OpenSSL on your servers and fix these Command Injection Vulnerabilities in OpenSSL as soon as possible. You can run this simple command to check the OpenSSL version on your machine.

$ openssl version

How To Fix Command Injection Vulnerabilities In OpenSSL?

OpenSSL addresses both the vulnerabilities in its new releases. OpenSSL has rolled out the patched with the release of three new versions. All the users of OpenSSL are suggested to find out the current version of OpenSSL on their machines and upgrade to the corresponding versions suggested by the Vendor.

  1. OpenSSL 1.0.2 users should upgrade to 1.0.2zd (premium support customers only)

  2. OpenSSL 1.1.1 users should upgrade to 1.1.1p

  3. OpenSSL 3.0 users should upgrade to 3.0.4

Note: OpenSSL 1.0.2 is reached end of life. So 1.0.2 has no support and no longer receiving public updates. Extended support is available for premium support customers only. OpenSSL 1.1.0 is reached end of life with no support of any kind. Upgrade to OpenSSL 3.0 or 1.1.1 is the only option left out for 1.1.0 users.

How to upgrade the OpenSSL and fix Command Injection Vulnerabilities in OpenSSL (CVE-2022-1292 And CVE-2022-2068)?

Step 1. Check the OpenSSL version

Run this command to check the version of OpenSSL:

$ openssl version

Step 2. Download the latest OpenSSL package

Download the correct package you need. In this case, since we have OpenSSL v1.1.1n, we need to download 1.1.1p.
If you have 3 series of
OpenSSL, you should download 

$ cd Downloads/
$ wget
$ chmod +x openssl-1.1.1p.tar.gz

Step 3. Extract the OpenSSL package

Extract the downloaded package to a folder.

$ tar -zxf openssl-1.1.1p.tar.gz
$ cd openssl-1.1.1p/

Step 4. Manually compile OpenSSL 1.1.1.p

Run this command to compile and create and makefile.

$ ./config

Step 5. Install/upgrade OpenSSL

Issue these commands to install or upgrade the OpenSSL.

$ sudo make
$ sudo make test
$ sudo mv /usr/bin/openssl ~/tmp (Backup current openssl binary)
$ sudo make install

Note: You may need to install make and gcc utilities before you install or upgrade the
OpenSSL.  Run this command to install the required packages if not preinstalled.

$ sudo apt install make gcc

Step 6. Create symbolic link from newly install binary to the default location

$ sudo ln -s /usr/local/bin/openssl /usr/bin/openssl

Step 7. Update the symbolic links in Ubuntu

Run these commands to update symbolic links and rebuild the library cache:

$ sudo ldconfig

Step 8. Check the OpenSSL version once again after the patch

Check the version of OpenSSL:

$ openssl version

We hope this post would help you know how to fix Command Injection Vulnerabilities in OpenSSL (CVE-2022-1292 And CVE-2022-2068). Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, Medium & Instagram, and subscribe to receive updates like this. 

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription