CVE-2022-1292
Published: 03 May 2022
Summary
CVE-2022-1292 is a high-severity OS Command Injection (CWE-78) vulnerability in Openssl Openssl. Its CVSS base score is 7.3 (High).
Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability is a command injection flaw (CWE-78) in the c_rehash script distributed with OpenSSL, which fails to sanitize shell metacharacters. It affects OpenSSL 3.0.0-3.0.2, 1.1.1-1.1.1n, and 1.0.2-1.0.2zd on operating systems that automatically execute the script; the issue is rated 7.3 under CVSS 3.1 with local attack vector.
An attacker able to influence files processed by c_rehash on such systems can execute arbitrary commands with the privileges of the script, which is considered obsolete.
Official patches have been released in OpenSSL 3.0.3, 1.1.1o, and 1.0.2ze, and vendors including Siemens and Debian advise migrating to the supported "openssl rehash" command-line tool instead of relying on the script. The EPSS score reached a peak of 0.4121 with a current value of 0.3889.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-24621
Vulnerability details
The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with…
more
the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n). Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd).
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.