CVE-2022-2068: OpenSSL command injection vulnerability

OpenSSL updates announced on Tuesday patch a moderate-severity command injection vulnerability related to the c_rehash script. The flaw tracked as CVE-2022-2068, was reported to the OpenSSL Project by Chancen of Qingteng 73lab.

The security hole affects OpenSSL versions 1.0.2, 1.1.1, and 3.0, and it has been fixed with the release of versions 1.0.2zf (for premium support customers),1.1.1p, and 3.0.5. The exploitation of the vulnerability is possible due to the c_rehash script does not properly sanitise shell metacharacters to prevent command injection.

“In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review,”  the OpenSSL Project explained in its advisory. “When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script.”

CVE-2022-2068 is the sixth OpenSSL vulnerability patched in 2022. A total of eight flaws were patched in 2021, including three that were assigned a severity rating of “high.”