We are going to talk about a couple of vulnerabilities in OpenSSL that allow attackers to carry out command injection attacks on the system on which vulnerable versions of OpenSSL are installed. The first flaw has been tracking with the CVE ID CVE-2022-1292 and calculated the CVSS score of 9.8, which is considered critical as per the CVSSv3 scoring system. The second flaw has been tracking with the CVE ID CVE-2022-2068. CVSS score hasn’t been calculated yet to publish. Since both the flaws target the same c_rehash script in OpenSSL and create the same impact. We can presume that both vulnerabilities are critical. Since these flaws allow attackers to perform command injection attacks using these OpenSSL flaws, it is important to learn how to fix Command Injection Vulnerabilities in OpenSSL.
Before we jump in to know how to fix Command Injection Vulnerabilities in OpenSSL, it is important to know about the c_rehash script in OpenSSL.
c_rehash Script In OpenSS:
c_rehash is a script that comes with OpenSSL. It is used to manage the symbolic links that are used to store certificates and other files required by SSL applications. c_rehash will scan a directory and create symbolic links for all of the certificates and other files it finds there. This makes it possible for SSL applications to find the files they need without having to know the exact location of each file. c_rehash can be run manually, or it can be called automatically by OpenSSL when it is needed. If you are using a version of OpenSSL that does not include c_rehash, you can download it from http://www.openssl.org as well.
Summary Of CVE-2022-1292:
This vulnerability actually persists in the c_rehash script. The flaw is due to improper sanitization of metacharacters that were used to prevent command injection. However, this improper sanitation will create problems in the operating systems on which the script will get automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.
|Associated CVE ID||CVE-2022-1292|
|Description||A Command Injection Vulnerability in OpenSSL|
|Associated ZDI ID||–|
|CVSS Score||9.8 Critical|
|Attack Vector (AV)||Network|
|Attack Complexity (AC)||Low|
|Privilege Required (PR)||None|
|User Interaction (UI)||None|
Summary Of CVE-2022-2068:
The command injection vulnerability identified as CVE-2022-1292 has been identified again after the fix. This happened because the flaw CVE-2022-1292 failed to fix completely. There are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. So we can say that the flaw CVE-2022-2068 is an extension of the above one.
OpenSSL Versions Vulnerable To CVE-2022-1292 And CVE-2022-2068:
Official OpenSSL advisory of both the vulnerabilities says that these flaws affect OpenSSL versions 1.0.2, 1.1.1, and 3.0. OpenSSL version 1.1.0 was not officially tested to declare as vulnerable since it has reached the end of life and no longer be supported and released patches.
Affected versions of OpenSSL:
We recommend checking the version of OpenSSL on your servers and fix these Command Injection Vulnerabilities in OpenSSL as soon as possible. You can run this simple command to check the OpenSSL version on your machine.
$ openssl version
How To Fix Command Injection Vulnerabilities In OpenSSL?
OpenSSL addresses both the vulnerabilities in its new releases. OpenSSL has rolled out the patched with the release of three new versions. All the users of OpenSSL are suggested to find out the current version of OpenSSL on their machines and upgrade to the corresponding versions suggested by the Vendor.
- OpenSSL 1.0.2 users should upgrade to 1.0.2zd (premium support customers only)
- OpenSSL 1.1.1 users should upgrade to 1.1.1p
- OpenSSL 3.0 users should upgrade to 3.0.4
Note: OpenSSL 1.0.2 is reached end of life. So 1.0.2 has no support and no longer receiving public updates. Extended support is available for premium support customers only. OpenSSL 1.1.0 is reached end of life with no support of any kind. Upgrade to OpenSSL 3.0 or 1.1.1 is the only option left out for 1.1.0 users.
Time needed: 10 minutes.
How to upgrade the OpenSSL and fix Command Injection Vulnerabilities in OpenSSL (CVE-2022-1292 And CVE-2022-2068)?
- Check the OpenSSL version
Run this command to check the version of OpenSSL:
$ openssl version
- Download the latest OpenSSL package
Download the correct package you need. In this case, since we have OpenSSL v1.1.1n, we need to download 1.1.1p.
If you have 3 series of OpenSSL, you should download 3.0.4.
$ cd Downloads/
$ wget https://www.openssl.org/source/openssl-1.1.1p.tar.gz
$ chmod +x openssl-1.1.1p.tar.gz
- Extract the OpenSSL package
Extract the downloaded package to a folder.
$ tar -zxf openssl-1.1.1p.tar.gz
$ cd openssl-1.1.1p/
- Manually compile OpenSSL 1.1.1.p
Run this command to compile and create configdata.pm and makefile.
- Install/upgrade OpenSSL
Issue these commands to install or upgrade the OpenSSL.
$ sudo make
$ sudo make test
$ sudo mv /usr/bin/openssl ~/tmp (Backup current openssl binary)
$ sudo make install
Note: You may need to install make and gcc utilities before you install or upgrade the OpenSSL. Run this command to install the required packages if not preinstalled.
$ sudo apt install make gcc
- Create symbolic link from newly install binary to the default location
$ sudo ln -s /usr/local/bin/openssl /usr/bin/openssl
- Update the symbolic links in Ubuntu
Run these commands to update symbolic links and rebuild the library cache:
$ sudo ldconfig
- Check the OpenSSL version once again after the patch
Check the version of OpenSSL:
$ openssl version
We hope this post would help you know how to fix Command Injection Vulnerabilities in OpenSSL (CVE-2022-1292 And CVE-2022-2068). Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.