OpenSSL 1.1.1-1.1.1o, 3.0.0-3.0.3, 1.0.2-1.0.2ze shell command injection attack

[artemis]

https://www.cve.org/CVERecord?id=CVE-2022-2068

basically the deal here is that if someone can get openssl's c_rehash script to look at a folder they control, they can make a file with a special name that will let them make openssl run an arbitrary command for them. so it runs as whatever user c_rehash runs as.

i dont think pups from woof-ce even run this script by default, maybe some of the projects closer to stock distributions do, i dont have any to check. this doesn't really matter on a system where everything is root anyhow. mainly a problem for certain multi-user machine setups, or if someone hacks your web server or something.

This could be bad if you are affected- but are you actually affected? if nothing is running c_rehash, no. do your own research

fixed in 3.0.5, 1.1.1p, 1.0.2zf

[ozsouth]

openssl 1.1.1q is now released. One moderate severity security fix plus bugfixes. openssl 3.0.5 also released & has a high severity security fix too.

[rockedge]

I have compiled openssl-1.1.1q and created a PET in Bionic64-8

This is fresh off the press and is NOT tested yet. Loads in /usr/local/

Download -> openssl-1.1.1q-x86_64.pet

[Grey]

I have compiled openssl-1.1.1q and created a PET in Bionic64-8
This is fresh off the press and is NOT tested yet. Loads in /usr/local/

Hello. What does the openssl version command output?

[rockedge]

@Grey

Code: Select all

root-# openssl version
OpenSSL 1.1.1  11 Sep 2018

I have not tested the PET on this system yet. I am working with Zoneminder builds and creating a PET for ZM so I am hesitant to try the openssl-1.1.1q

I also have openssl-3.0.5-dev compiled.

[geo_c]

Does that script have to be called from connected email servers for ssl to work? I compiled neo-mutt with open-ssl and I have that file in /usr/bin. I ask because root/group/others all have executable privilege.

So might unsetting those help, or does the injection cause the script to be called from root anyway, so it doesn't matter if the others/group permissions are switched off?

[williams2]

Code: Select all

# grep -i puppysfs /etc/DISTRO_SPECS 
DISTRO_PUPPYSFS='puppy_bionicpup64_8.0.sfs'
#
# openssl version
OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
#

Code: Select all

./configure
make
make test
make install

[Grey]

Loads in /usr/local/

As far as I remember, in the entire line of systems from Phil, the /usr/local directory does NOT have priority over /usr. Therefore, it is better to compile with --prefix=/usr

Probably @dimkr has already fixed this in woof-ce.

[rockedge]

@Grey
I have re-compiled openSSL 1.1.1q and built a PET in Bionic64-8 that installs in /usr