• Home
  • |
  • Blog
  • |
  • How To Fix Command Injection Vulnerabilities In OpenSSL In Just 5 Minutes
How to Fix Command Injection Vulnerabilities in OpenSS- CVE-2022-1292 & CVE-2022-2068

We are going to talk about a couple of vulnerabilities in OpenSSL that allow attackers to carry out command injection attacks on the system on which vulnerable versions of OpenSSL are installed. The first flaw has been tracking with the CVE ID CVE-2022-1292 and calculated the CVSS score of 9.8, which is considered critical as per the CVSSv3 scoring system. The second flaw has been tracking with the CVE ID CVE-2022-2068. CVSS score hasn’t been calculated yet to publish. Since both the flaws target the same c_rehash script in OpenSSL and create the same impact. We can presume that both vulnerabilities are critical. Since these flaws allow attackers to perform command injection attacks using these OpenSSL flaws, it is important to learn how to fix Command Injection Vulnerabilities in OpenSSL.

Before we jump in to know how to fix Command Injection Vulnerabilities in OpenSSL, it is important to know about the c_rehash script in OpenSSL.

c_rehash Script In OpenSS:

c_rehash is a script that comes with OpenSSL. It is used to manage the symbolic links that are used to store certificates and other files required by SSL applications. c_rehash will scan a directory and create symbolic links for all of the certificates and other files it finds there. This makes it possible for SSL applications to find the files they need without having to know the exact location of each file. c_rehash can be run manually, or it can be called automatically by OpenSSL when it is needed. If you are using a version of OpenSSL that does not include c_rehash, you can download it from http://www.openssl.org as well.

Summary Of CVE-2022-1292:

This vulnerability actually persists in the c_rehash script. The flaw is due to improper sanitization of metacharacters that were used to prevent command injection. However, this improper sanitation will create problems in the operating systems on which the script will get automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.

Associated CVE IDCVE-2022-1292
DescriptionA Command Injection Vulnerability in OpenSSL
Associated ZDI ID
CVSS Score9.8 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)None
User Interaction (UI)None
ScopeUnchanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

Summary Of CVE-2022-2068:

The command injection vulnerability identified as CVE-2022-1292 has been identified again after the fix. This happened because the flaw CVE-2022-1292 failed to fix completely. There are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. So we can say that the flaw CVE-2022-2068 is an extension of the above one.

OpenSSL Versions Vulnerable To CVE-2022-1292 And CVE-2022-2068:

Official OpenSSL advisory of both the vulnerabilities says that these flaws affect OpenSSL versions 1.0.2, 1.1.1, and 3.0. OpenSSL version 1.1.0 was not officially tested to declare as vulnerable since it has reached the end of life and no longer be supported and released patches.

Affected versions of OpenSSL:

  • 1.0.2
  • 1.1.1
  • 3.0

We recommend checking the version of OpenSSL on your servers and fix these Command Injection Vulnerabilities in OpenSSL as soon as possible. You can run this simple command to check the OpenSSL version on your machine.

$ openssl version

How To Fix Command Injection Vulnerabilities In OpenSSL?

OpenSSL addresses both the vulnerabilities in its new releases. OpenSSL has rolled out the patched with the release of three new versions. All the users of OpenSSL are suggested to find out the current version of OpenSSL on their machines and upgrade to the corresponding versions suggested by the Vendor.

  1. OpenSSL 1.0.2 users should upgrade to 1.0.2zd (premium support customers only)
  2. OpenSSL 1.1.1 users should upgrade to 1.1.1p
  3. OpenSSL 3.0 users should upgrade to 3.0.4

Note: OpenSSL 1.0.2 is reached end of life. So 1.0.2 has no support and no longer receiving public updates. Extended support is available for premium support customers only. OpenSSL 1.1.0 is reached end of life with no support of any kind. Upgrade to OpenSSL 3.0 or 1.1.1 is the only option left out for 1.1.0 users.

Time needed: 10 minutes.

How to upgrade the OpenSSL and fix Command Injection Vulnerabilities in OpenSSL (CVE-2022-1292 And CVE-2022-2068)?

  1. Check the OpenSSL version

    Run this command to check the version of OpenSSL:

    $ openssl version

    Command to heck the version of OpenSSL (1)

  2. Download the latest OpenSSL package

    Download the correct package you need. In this case, since we have OpenSSL v1.1.1n, we need to download 1.1.1p.

    If you have 3 series of OpenSSL, you should download 3.0.4.

    $ cd Downloads/
    $ wget https://www.openssl.org/source/openssl-1.1.1p.tar.gz
    $ chmod +x openssl-1.1.1p.tar.gz

    Download the latest OpenSSL package

  3. Extract the OpenSSL package

    Extract the downloaded package to a folder.

    $ tar -zxf openssl-1.1.1p.tar.gz
    $ cd openssl-1.1.1p/

    Command to extract the OpenSSL package

  4.  Manually compile OpenSSL 1.1.1.p

    Run this command to compile and create configdata.pm and makefile.

    $ ./config

    Manually compile OpenSSL 1.1.1.p

  5. Install/upgrade OpenSSL

    Issue these commands to install or upgrade the OpenSSL.

    $ sudo make
    $ sudo make test
    $ sudo mv /usr/bin/openssl ~/tmp (Backup current openssl binary)
    $ sudo make install

    Note: You may need to install make and gcc utilities before you install or upgrade the OpenSSL.  Run this command to install the required packages if not preinstalled.

    $ sudo apt install make gcc

    Install_upgrade OpenSSL

  6. Create symbolic link from newly install binary to the default location

    $ sudo ln -s /usr/local/bin/openssl /usr/bin/openssl

    Create symbolic link from newly install binary to the default location

  7. Update the symbolic links in Ubuntu

    Run these commands to update symbolic links and rebuild the library cache:

    $ sudo ldconfig

    Update the symbolic links in Ubuntu

  8. Check the OpenSSL version once again after the patch

    Check the version of OpenSSL:

    $ openssl version

    Check the OpenSSL version once again after the patch

We hope this post will help you know how to fix Command Injection Vulnerabilities in OpenSSL (CVE-2022-1292 And CVE-2022-2068). Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.