CVE-2022-2068 Overview
CVE-2022-2068 is a command injection vulnerability in the OpenSSL c_rehash script that was discovered during code review following the initial fix for CVE-2022-1292. The vulnerability exists because the script fails to properly sanitize shell metacharacters in certificate file names before passing them to shell commands. This incomplete fix reveals additional code paths where malicious certificate file names can lead to arbitrary command execution.
When the fix for CVE-2022-1292 was implemented, additional locations in the script where certificate file names are passed to shell-executed commands were not identified. On operating systems where the c_rehash script is automatically executed as part of system operations, an attacker with the ability to place maliciously-named certificate files could achieve arbitrary command execution with the privileges of the script.
Critical Impact
Attackers can achieve arbitrary command execution on systems where the c_rehash script is automatically invoked by placing specially-crafted certificate files with shell metacharacters in the filename.
Affected Products
- OpenSSL 3.0.0 through 3.0.3 (Fixed in 3.0.4)
- OpenSSL 1.1.1 through 1.1.1o (Fixed in 1.1.1p)
- OpenSSL 1.0.2 through 1.0.2ze (Fixed in 1.0.2zf)
- Debian Linux 10.0 and 11.0
- Fedora 35 and 36
- Siemens SINEC INS (versions prior to 1.0 SP2)
- NetApp Element Software, HCI Management Node, ONTAP Antivirus Connector
- NetApp Storage Systems (H-Series, FAS, AFF platforms)
- Broadcom SANnav
Discovery Timeline
- June 21, 2022 - CVE-2022-2068 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2022-2068
Vulnerability Analysis
This vulnerability represents an incomplete fix scenario where the original remediation for CVE-2022-1292 failed to address all vulnerable code paths in the c_rehash Perl script. The script is designed to scan directories for certificate files and create symbolic links based on their hash values, facilitating certificate lookup operations.
The root issue lies in how the script handles file names when constructing shell commands. Certificate file names containing shell metacharacters (such as backticks, semicolons, or pipe characters) are not properly sanitized before being interpolated into shell command strings. When these commands are executed, the metacharacters are interpreted by the shell, allowing attacker-controlled commands to be injected and executed.
The attack requires local access to place malicious certificate files in directories processed by c_rehash. The impact is significant on systems where the script runs automatically, such as during certificate store updates or as part of automated maintenance tasks, as this creates an opportunity for privilege escalation without direct user interaction.
Root Cause
The root cause is improper input validation (CWE-78: Improper Neutralization of Special Elements used in an OS Command) in the c_rehash script. The script constructs shell commands by concatenating certificate file names without proper escaping or sanitization of shell-special characters. During the fix for CVE-2022-1292, not all instances where file names were passed to shell commands were identified and remediated, leaving residual injection points.
Attack Vector
The attack vector requires local access with the ability to write certificate files to directories processed by the c_rehash script. An attacker crafts a certificate file with shell metacharacters embedded in the filename. When c_rehash processes the directory containing this file, the malicious filename is passed to a shell command, and the embedded metacharacters cause the shell to execute attacker-controlled commands.
On systems where c_rehash is invoked automatically (for example, as part of package installation or certificate store updates), this creates an opportunity for local privilege escalation. The commands execute with the privileges of the process running the script, which may be root or a privileged system account.
The vulnerability mechanism involves the script iterating through certificate files and constructing shell commands dynamically. When a filename contains characters like backticks or command separators, these are interpreted by the shell as command substitution or command chaining operators. For detailed technical analysis, refer to the OpenSSL Security Advisory 20220621.
Detection Methods for CVE-2022-2068
Indicators of Compromise
- Certificate files with unusual filenames containing shell metacharacters (backticks, semicolons, pipes, dollar signs) in certificate directories
- Unexpected process spawning from c_rehash or openssl parent processes
- Suspicious file creation or modification following c_rehash execution
- Evidence of command execution in system logs coinciding with certificate operations
Detection Strategies
- Monitor file system events for certificate files with suspicious naming patterns containing shell special characters
- Implement process monitoring to detect unexpected child processes spawned from c_rehash or related OpenSSL utilities
- Audit certificate directories (/etc/ssl/certs, /etc/pki/tls/certs) for files with anomalous filenames
- Review system logs for errors or unusual activity during certificate operations
Monitoring Recommendations
- Configure file integrity monitoring on certificate directories to alert on new files with unusual naming patterns
- Implement process lineage monitoring to detect command execution from certificate management tools
- Enable detailed logging for any automated certificate management tasks
- Use SentinelOne's behavioral detection capabilities to identify anomalous process chains originating from certificate utilities
How to Mitigate CVE-2022-2068
Immediate Actions Required
- Upgrade OpenSSL to the fixed versions: 3.0.4, 1.1.1p, or 1.0.2zf
- Replace usage of the deprecated c_rehash script with the openssl rehash command line tool
- Audit certificate directories for files with suspicious filenames and remove any anomalies
- Restrict write access to certificate directories to prevent placement of malicious files
Patch Information
OpenSSL has released fixed versions that address this vulnerability:
- OpenSSL 3.0.4 - Fixes affected versions 3.0.0 through 3.0.3
- OpenSSL 1.1.1p - Fixes affected versions 1.1.1 through 1.1.1o
- OpenSSL 1.0.2zf - Fixes affected versions 1.0.2 through 1.0.2ze
The patches properly sanitize file names before passing them to shell commands. For commit details, see the OpenSSL Git repository. Additional vendor-specific patches are available from Debian Security Advisory DSA-5169, NetApp Security Advisory NTAP-20220707-0008, and Siemens Security Advisory SSA-332410.
Workarounds
- Discontinue use of the c_rehash script and migrate to the openssl rehash command which does not invoke shell commands
- Implement strict file system permissions on certificate directories, limiting write access to trusted administrators only
- If c_rehash must be used, ensure it is never executed automatically or on directories with user-writable content
- Monitor and audit certificate directories for any files with shell metacharacters in their names
# Replace c_rehash with openssl rehash command
# Instead of: c_rehash /etc/ssl/certs
openssl rehash /etc/ssl/certs
# Verify OpenSSL version to confirm patch status
openssl version
# Audit certificate directories for suspicious filenames
find /etc/ssl/certs -name '*[`$;|&]*' -ls
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
