Cyber Resilience

CVE-2022-2068

High

Published: 21 June 2022

Published
21 June 2022
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.2022 95.6th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-2068 is a high-severity OS Command Injection (CWE-78) vulnerability in Siemens Sinec Ins. Its CVSS base score is 7.3 (High).

Operationally, ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability is a command injection flaw (CWE-78) in the c_rehash shell script distributed with OpenSSL. It stems from incomplete sanitization of shell metacharacters in certificate file names passed to executed commands, an issue that remained after the partial fix for the related CVE-2022-1292. Affected versions include OpenSSL 3.0.0 through 3.0.3, 1.1.1 through 1.1.1o, and 1.0.2 through 1.0.2ze; the script is shipped by some operating systems in a way that triggers automatic execution.

A local attacker who can supply or influence certificate files processed by c_rehash can inject and execute arbitrary commands under the privileges of the script. This occurs without requiring elevated privileges beyond local access and user interaction to trigger the script, potentially leading to full control over the affected system components.

Advisories and patches recommend replacing use of the obsolete c_rehash script with the OpenSSL rehash command-line tool. Fixes are available in OpenSSL 3.0.4, 1.1.1p, and 1.0.2zf, with additional vendor guidance such as the Siemens SSA-332410 advisory and distribution-specific notices like the Fedora package announcement.

The EPSS score reached a peak of 0.2354 with a current value of 0.2022.

EU & UK References

Vulnerability details

In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not…

more

discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

openssl
openssl
1.0.2 — 1.0.2zf · 1.1.1 — 1.1.1p · 3.0.0 — 3.0.4
debian
debian linux
10.0, 11.0
fedoraproject
fedora
35, 36
siemens
sinec ins
1.0 · ≤ 1.0
netapp
element software
all versions
netapp
hci management node
all versions
netapp
ontap antivirus connector
all versions
netapp
ontap select deploy administration utility
all versions
netapp
santricity smi-s provider
all versions
netapp
smi-s provider
all versions
+18 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References