CVE-2022-1292 Overview
CVE-2022-1292 is a command injection vulnerability in the OpenSSL c_rehash script that fails to properly sanitize shell metacharacters. This script, distributed by some operating systems in a manner where it is automatically executed, allows attackers to execute arbitrary commands with the privileges of the script. The vulnerability affects OpenSSL versions 3.0.0-3.0.2, 1.1.1-1.1.1n, and 1.0.2-1.0.2zd.
Critical Impact
Attackers can achieve arbitrary command execution with script privileges on systems where c_rehash is automatically executed, potentially leading to full system compromise.
Affected Products
- OpenSSL 3.0.0, 3.0.1, 3.0.2 (Fixed in 3.0.3)
- OpenSSL 1.1.1 through 1.1.1n (Fixed in 1.1.1o)
- OpenSSL 1.0.2 through 1.0.2zd (Fixed in 1.0.2ze)
- Debian Linux 9.0, 10.0, 11.0
- Fedora 35, 36
- NetApp Active IQ Unified Manager, Clustered Data ONTAP, SnapCenter, and various storage firmware
- Oracle MySQL Server, MySQL Workbench, Enterprise Manager Ops Center
- Siemens Brownfield Connectivity Gateway
Discovery Timeline
- May 3, 2022 - CVE-2022-1292 published to NVD
- August 13, 2025 - Last updated in NVD database
Technical Details for CVE-2022-1292
Vulnerability Analysis
The c_rehash script is a Perl utility included with OpenSSL that is used to create symbolic links to certificate files based on their hash values. This script processes certificate filenames without adequate sanitization, allowing specially crafted filenames containing shell metacharacters to be interpreted as commands when the script executes shell operations.
On certain operating systems, particularly Linux distributions, the c_rehash script may be invoked automatically by package managers or system processes when SSL certificates are updated. This automatic execution creates a particularly dangerous attack surface because an attacker who can place a maliciously-named certificate file in a directory processed by c_rehash can achieve command execution without direct user interaction.
The impact includes complete confidentiality, integrity, and availability compromise on affected systems. An attacker successfully exploiting this vulnerability can execute arbitrary commands with the same privileges as the script, which may include root or administrative privileges depending on how the script is invoked.
Root Cause
The root cause of CVE-2022-1292 is improper input validation in the c_rehash script (CWE-78: OS Command Injection). The script processes certificate filenames and passes them to shell commands without properly escaping or sanitizing shell metacharacters. Characters such as backticks, semicolons, pipes, and other shell special characters embedded in filenames are interpreted by the shell, allowing arbitrary command execution.
The vulnerable code constructs shell commands using filename data that an attacker can control, violating the principle of separating code from data in command construction.
Attack Vector
The attack requires local access to place a malicious file in a certificate directory processed by the c_rehash script. On systems where the script runs automatically (such as during package updates or certificate refresh operations), the attack becomes more practical:
- An attacker creates a certificate file with a specially crafted filename containing shell metacharacters and embedded commands
- The file is placed in a directory that will be processed by c_rehash
- When c_rehash executes (either manually or automatically), it processes the malicious filename
- The shell metacharacters in the filename are interpreted, executing the attacker's embedded commands
- Commands execute with the privileges of the c_rehash script process
The local attack vector with user interaction requirement limits the exploitability somewhat, but the widespread use of OpenSSL and automatic execution on some systems increases the practical risk significantly.
Detection Methods for CVE-2022-1292
Indicators of Compromise
- Unusual certificate files in /etc/ssl/certs/ or other certificate directories with suspicious filenames containing shell metacharacters
- Unexpected process spawning from Perl interpreters running c_rehash
- Certificate files with names containing characters like backticks, semicolons, pipes, or $(...) constructs
- Audit logs showing c_rehash execution followed by unexpected child processes
Detection Strategies
- Monitor certificate directories for files with anomalous naming patterns that include shell special characters
- Implement file integrity monitoring on certificate directories to detect unauthorized file additions
- Deploy behavioral detection rules that alert on shell command execution spawned from c_rehash or Perl processes in certificate management contexts
- Use SentinelOne's behavioral AI to detect command injection patterns and suspicious process genealogies
Monitoring Recommendations
- Enable audit logging for file operations in certificate directories (/etc/ssl/certs/, /etc/pki/, etc.)
- Monitor for Perl script execution with arguments referencing certificate paths followed by unexpected command execution
- Track the execution of c_rehash and its child processes for anomalous behavior
- Implement alerting on any shell special character sequences in certificate filenames
How to Mitigate CVE-2022-1292
Immediate Actions Required
- Upgrade OpenSSL to patched versions: 3.0.3, 1.1.1o, or 1.0.2ze respectively
- Replace use of the deprecated c_rehash script with the OpenSSL rehash command line tool
- Audit certificate directories for any files with suspicious filenames containing shell metacharacters
- Restrict write access to certificate directories to prevent unauthorized file placement
Patch Information
OpenSSL has released patches in versions 3.0.3, 1.1.1o, and 1.0.2ze. The fixes add proper sanitization of shell metacharacters in the c_rehash script. Organizations should update to these versions as soon as possible. For detailed patch information, refer to the OpenSSL Security Advisory May 2022.
Distribution-specific patches are also available:
- Debian: DSA-5139
- Fedora: Available through standard package updates
- NetApp: NTAP-20220602-0009
- Oracle: CPU July 2022
Workarounds
- Migrate from the deprecated c_rehash script to the OpenSSL rehash command line tool, which is not affected by this vulnerability
- Remove or disable automatic execution of c_rehash from system processes and package manager hooks
- Implement strict file naming validation before allowing files into certificate directories
- Restrict filesystem permissions on certificate directories to prevent unprivileged users from adding files
# Replace c_rehash with OpenSSL rehash command
# Instead of: c_rehash /etc/ssl/certs
openssl rehash /etc/ssl/certs
# Remove or disable c_rehash from automated processes
chmod 000 /usr/bin/c_rehash # Disable execution if removal is not possible
# Restrict certificate directory permissions
chmod 755 /etc/ssl/certs
chown root:root /etc/ssl/certs
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
