OpenSSL 1.1.1-1.1.1o, 3.0.0-3.0.3, 1.0.2-1.0.2ze shell command injection attack

For discussions about security.
Post Reply
artemis
Posts: 44
Joined: Wed Mar 24, 2021 8:16 pm
Has thanked: 8 times
Been thanked: 5 times

OpenSSL 1.1.1-1.1.1o, 3.0.0-3.0.3, 1.0.2-1.0.2ze shell command injection attack

Post by artemis »

https://www.cve.org/CVERecord?id=CVE-2022-2068

basically the deal here is that if someone can get openssl's c_rehash script to look at a folder they control, they can make a file with a special name that will let them make openssl run an arbitrary command for them. so it runs as whatever user c_rehash runs as.

i dont think pups from woof-ce even run this script by default, maybe some of the projects closer to stock distributions do, i dont have any to check. this doesn't really matter on a system where everything is root anyhow. mainly a problem for certain multi-user machine setups, or if someone hacks your web server or something.

This could be bad if you are affected- but are you actually affected? if nothing is running c_rehash, no. do your own research

fixed in 3.0.5, 1.1.1p, 1.0.2zf

ozsouth
Posts: 1569
Joined: Sun Jul 12, 2020 2:38 am
Location: S.E. Australia
Has thanked: 241 times
Been thanked: 704 times

Re: OpenSSL 1.1.1-1.1.1o, 3.0.0-3.0.3, 1.0.2-1.0.2ze shell command injection attack

Post by ozsouth »

openssl 1.1.1q is now released. One moderate severity security fix plus bugfixes. openssl 3.0.5 also released & has a high severity security fix too.

User avatar
rockedge
Site Admin
Posts: 6553
Joined: Mon Dec 02, 2019 1:38 am
Location: Connecticut,U.S.A.
Has thanked: 2757 times
Been thanked: 2629 times
Contact:

Re: OpenSSL 1.1.1-1.1.1o, 3.0.0-3.0.3, 1.0.2-1.0.2ze shell command injection attack

Post by rockedge »

I have compiled openssl-1.1.1q and created a PET in Bionic64-8

This is fresh off the press and is NOT tested yet. Loads in /usr/local/

Download -> openssl-1.1.1q-x86_64.pet

User avatar
Grey
Posts: 2024
Joined: Wed Jul 22, 2020 12:33 am
Location: Russia
Has thanked: 76 times
Been thanked: 376 times

Re: OpenSSL 1.1.1-1.1.1o, 3.0.0-3.0.3, 1.0.2-1.0.2ze shell command injection attack

Post by Grey »

rockedge wrote: Wed Jul 13, 2022 2:46 am

I have compiled openssl-1.1.1q and created a PET in Bionic64-8
This is fresh off the press and is NOT tested yet. Loads in /usr/local/

Hello. What does the openssl version command output?

Fossapup OS, Ryzen 5 3600 CPU, 64 GB RAM, GeForce GTX 1050 Ti 4 GB, Sound Blaster Audigy Rx with amplifier + Yamaha speakers for loud sound, USB Sound Blaster X-Fi Surround 5.1 Pro V3 + headphones for quiet sound.

User avatar
rockedge
Site Admin
Posts: 6553
Joined: Mon Dec 02, 2019 1:38 am
Location: Connecticut,U.S.A.
Has thanked: 2757 times
Been thanked: 2629 times
Contact:

Re: OpenSSL 1.1.1-1.1.1o, 3.0.0-3.0.3, 1.0.2-1.0.2ze shell command injection attack

Post by rockedge »

@Grey

Code: Select all

root-# openssl version
OpenSSL 1.1.1  11 Sep 2018

I have not tested the PET on this system yet. I am working with Zoneminder builds and creating a PET for ZM so I am hesitant to try the openssl-1.1.1q

I also have openssl-3.0.5-dev compiled.

geo_c
Posts: 2881
Joined: Fri Jul 31, 2020 3:37 am
Has thanked: 2205 times
Been thanked: 878 times

Re: OpenSSL 1.1.1-1.1.1o, 3.0.0-3.0.3, 1.0.2-1.0.2ze shell command injection attack

Post by geo_c »

Does that script have to be called from connected email servers for ssl to work? I compiled neo-mutt with open-ssl and I have that file in /usr/bin. I ask because root/group/others all have executable privilege.

So might unsetting those help, or does the injection cause the script to be called from root anyway, so it doesn't matter if the others/group permissions are switched off?

geo_c
Old School Hipster, and Such

williams2
Posts: 1062
Joined: Sat Jul 25, 2020 5:45 pm
Been thanked: 305 times

Re: OpenSSL 1.1.1-1.1.1o, 3.0.0-3.0.3, 1.0.2-1.0.2ze shell command injection attack

Post by williams2 »

Code: Select all

# grep -i puppysfs /etc/DISTRO_SPECS 
DISTRO_PUPPYSFS='puppy_bionicpup64_8.0.sfs'
#
# openssl version
OpenSSL 3.0.5 5 Jul 2022 (Library: OpenSSL 3.0.5 5 Jul 2022)
#

Code: Select all

./configure
make
make test
make install
User avatar
Grey
Posts: 2024
Joined: Wed Jul 22, 2020 12:33 am
Location: Russia
Has thanked: 76 times
Been thanked: 376 times

Re: OpenSSL 1.1.1-1.1.1o, 3.0.0-3.0.3, 1.0.2-1.0.2ze shell command injection attack

Post by Grey »

rockedge wrote: Wed Jul 13, 2022 3:54 am

Loads in /usr/local/

As far as I remember, in the entire line of systems from Phil, the /usr/local directory does NOT have priority over /usr. Therefore, it is better to compile with --prefix=/usr

Probably @dimkr has already fixed this in woof-ce.

Fossapup OS, Ryzen 5 3600 CPU, 64 GB RAM, GeForce GTX 1050 Ti 4 GB, Sound Blaster Audigy Rx with amplifier + Yamaha speakers for loud sound, USB Sound Blaster X-Fi Surround 5.1 Pro V3 + headphones for quiet sound.

User avatar
rockedge
Site Admin
Posts: 6553
Joined: Mon Dec 02, 2019 1:38 am
Location: Connecticut,U.S.A.
Has thanked: 2757 times
Been thanked: 2629 times
Contact:

Re: OpenSSL 1.1.1-1.1.1o, 3.0.0-3.0.3, 1.0.2-1.0.2ze shell command injection attack

Post by rockedge »

@Grey
I have re-compiled openSSL 1.1.1q and built a PET in Bionic64-8 that installs in /usr

Post Reply

Return to “Security”