CVE-2022-1292
📋 TL;DR
CVE-2022-1292 is a command injection vulnerability in the c_rehash script distributed with OpenSSL. It allows attackers to execute arbitrary commands with script privileges when the script processes untrusted input. This affects systems using vulnerable OpenSSL versions where c_rehash is automatically executed.
💻 Affected Systems
- OpenSSL
📦 What is this software?
Brownfield Connectivity Gateway by Siemens
Clustered Data Ontap Antivirus Connector by Netapp
View all CVEs affecting Clustered Data Ontap Antivirus Connector →
Fabric Attached Storage A400 Firmware by Netapp
View all CVEs affecting Fabric Attached Storage A400 Firmware →
Fedora by Fedoraproject
Fedora by Fedoraproject
Openssl by Openssl
OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.
Learn more about Openssl →Openssl by Openssl
OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.
Learn more about Openssl →Openssl by Openssl
OpenSSL is a robust, commercial-grade toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It provides cryptographic functions and is one of the most widely used libraries for implementing secure communications in applications worldwide.
Learn more about Openssl →Solidfire \& Hci Management Node by Netapp
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with the privileges of the user running c_rehash, potentially leading to full system compromise if run as root.
Likely Case
Local privilege escalation or arbitrary command execution when c_rehash processes attacker-controlled certificate files.
If Mitigated
Limited impact if script execution is restricted or untrusted input is not processed.
🎯 Exploit Status
Exploitation requires ability to influence input to c_rehash script. Proof-of-concept code is publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenSSL 3.0.3, 1.1.1o, 1.0.2ze
Vendor Advisory: https://www.openssl.org/news/secadv/20220503.txt
Restart Required: No
Instructions:
1. Update OpenSSL to patched version using system package manager. 2. For Linux: 'sudo apt update && sudo apt upgrade openssl' (Debian/Ubuntu) or 'sudo yum update openssl' (RHEL/CentOS). 3. Verify update with 'openssl version'.
🔧 Temporary Workarounds
Remove c_rehash script
linuxDelete or rename the vulnerable c_rehash script to prevent execution
sudo rm /usr/bin/c_rehash
sudo mv /usr/bin/c_rehash /usr/bin/c_rehash.bak
Use OpenSSL rehash tool
allReplace c_rehash usage with the secure 'openssl rehash' command
openssl rehash /path/to/certificates
🧯 If You Can't Patch
- Restrict execution permissions on c_rehash script to prevent unauthorized use
- Audit systems for automated c_rehash execution and disable those processes
🔍 How to Verify
Check if Vulnerable:
Check OpenSSL version with 'openssl version' and compare to affected ranges. Also check if c_rehash exists with 'which c_rehash'.Check Version:
openssl versionVerify Fix Applied:
Confirm OpenSSL version is 3.0.3+, 1.1.1o+, or 1.0.2ze+ using 'openssl version'.📡 Detection & Monitoring
Log Indicators:
- Unusual process execution from c_rehash script
- Shell commands in certificate processing logs
Network Indicators:
- Unusual outbound connections from systems running c_rehash
SIEM Query:
Process execution where parent_process contains 'c_rehash' AND (command_line contains ';' OR command_line contains '|' OR command_line contains '&')🔗 References
- https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=548d3f280a6e737673f5b61fce24bb100108dfeb
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23
- https://lists.debian.org/debian-lts-announce/2022/05/msg00019.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VX4KWHPMKYJL6ZLW4M5IU7E5UV5ZWJQU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNU5M7BXMML26G3GPYKFGQYPQDRSNKDD/
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0011
- https://security.gentoo.org/glsa/202210-02
- https://security.netapp.com/advisory/ntap-20220602-0009/
- https://security.netapp.com/advisory/ntap-20220729-0004/
- https://www.debian.org/security/2022/dsa-5139
- https://www.openssl.org/news/secadv/20220503.txt
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-953464.pdf
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=1ad73b4d27bd8c1b369a3cd453681d3a4f1bb9b2
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=548d3f280a6e737673f5b61fce24bb100108dfeb
- https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23
- https://gitlab.com/fraf0/cve-2022-1292-re_score-analysis
- https://lists.debian.org/debian-lts-announce/2022/05/msg00019.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VX4KWHPMKYJL6ZLW4M5IU7E5UV5ZWJQU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZNU5M7BXMML26G3GPYKFGQYPQDRSNKDD/
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0011
- https://security.gentoo.org/glsa/202210-02
- https://security.netapp.com/advisory/ntap-20220602-0009/
- https://security.netapp.com/advisory/ntap-20220729-0004/
- https://www.debian.org/security/2022/dsa-5139
- https://www.openssl.org/news/secadv/20220503.txt
- https://www.oracle.com/security-alerts/cpujul2022.html
