CVE Vulnerabilities

CVE-2022-2068

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Published: Jun 21, 2022 | Modified: Nov 07, 2023
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
10 HIGH
AV:N/AC:L/Au:N/C:C/I:C/A:C
RedHat/V2
RedHat/V3
6.7 MODERATE
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM

In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze).

Weakness

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Affected Software

Name Vendor Start Version End Version
Openssl Openssl 1.0.2 (including) 1.0.2zf (excluding)
Openssl Openssl 1.1.1 (including) 1.1.1p (excluding)
Openssl Openssl 3.0.0 (including) 3.0.4 (excluding)
JBoss Core Services for RHEL 8 RedHat jbcs-httpd24-openssl-1:1.1.1k-13.el8jbcs *
JBoss Core Services on RHEL 7 RedHat jbcs-httpd24-openssl-1:1.1.1k-13.el7jbcs *
JWS 5.7.1 release RedHat openssl *
Red Hat Enterprise Linux 8 RedHat openssl-1:1.1.1k-7.el8_6 *
Red Hat Enterprise Linux 9 RedHat openssl-1:3.0.1-41.el9_0 *
Red Hat Enterprise Linux 9 RedHat openssl-1:3.0.1-41.el9_0 *
Red Hat JBoss Core Services 1 RedHat openssl *
Red Hat JBoss Web Server 5.7 on RHEL 7 RedHat jws5-tomcat-native-0:1.2.31-11.redhat_11.el7jws *
Red Hat JBoss Web Server 5.7 on RHEL 8 RedHat jws5-tomcat-native-0:1.2.31-11.redhat_11.el8jws *
Red Hat JBoss Web Server 5.7 on RHEL 9 RedHat jws5-tomcat-native-0:1.2.31-11.redhat_11.el9jws *
Red Hat Satellite 6.11 for RHEL 7 RedHat puppet-agent-0:7.26.0-3.el7sat *
Red Hat Satellite 6.11 for RHEL 7 RedHat puppet-agent-0:7.26.0-3.el7sat *
Red Hat Satellite 6.11 for RHEL 8 RedHat puppet-agent-0:7.26.0-3.el8sat *
Red Hat Satellite 6.11 for RHEL 8 RedHat puppet-agent-0:7.26.0-3.el8sat *
Red Hat Satellite 6.12 for RHEL 8 RedHat puppet-agent-0:7.26.0-3.el8sat *
Red Hat Satellite 6.12 for RHEL 8 RedHat puppet-agent-0:7.26.0-3.el8sat *
Red Hat Satellite 6.13 for RHEL 8 RedHat puppet-agent-0:7.26.0-3.el8sat *
Red Hat Satellite 6.13 for RHEL 8 RedHat puppet-agent-0:7.26.0-3.el8sat *
Red Hat Satellite 6.14 for RHEL 8 RedHat puppet-agent-0:7.26.0-3.el8sat *
Red Hat Satellite 6.14 for RHEL 8 RedHat puppet-agent-0:7.26.0-3.el8sat *
Satellite Client 6 for RHEL 6 RedHat puppet-agent-0:7.26.0-3.el6sat *
Satellite Client 6 for RHEL 7 RedHat puppet-agent-0:7.26.0-3.el7sat *
Satellite Client 6 for RHEL 8 RedHat puppet-agent-0:7.26.0-3.el8sat *
Satellite Client 6 for RHEL 9 RedHat puppet-agent-0:7.26.0-3.el9sat *
Edk2 Ubuntu trusty *
Edk2 Ubuntu xenial *
Nodejs Ubuntu jammy *
Nodejs Ubuntu trusty *
Openssl Ubuntu bionic *
Openssl Ubuntu esm-infra/bionic *
Openssl Ubuntu esm-infra/xenial *
Openssl Ubuntu fips-updates/bionic *
Openssl Ubuntu fips-updates/focal *
Openssl Ubuntu fips-updates/xenial *
Openssl Ubuntu fips/bionic *
Openssl Ubuntu fips/focal *
Openssl Ubuntu fips/xenial *
Openssl Ubuntu focal *
Openssl Ubuntu impish *
Openssl Ubuntu jammy *
Openssl Ubuntu upstream *
Openssl1.0 Ubuntu bionic *
Openssl1.0 Ubuntu esm-infra/bionic *

Extended Description

This could allow attackers to execute unexpected, dangerous commands directly on the operating system. This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications. Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage. There are at least two subtypes of OS command injection:

From a weakness standpoint, these variants represent distinct programmer errors. In the first variant, the programmer clearly intends that input from untrusted parties will be part of the arguments in the command to be executed. In the second variant, the programmer does not intend for the command to be accessible to any untrusted party, but the programmer probably has not accounted for alternate ways in which malicious attackers can provide input.

Potential Mitigations

  • Run the code in a “jail” or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software.
  • OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using the ESAPI Encoding control [REF-45] or a similar tool, library, or framework. These will help the programmer encode outputs in a manner less prone to error.
  • If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated.
  • Some languages offer multiple functions that can be used to invoke commands. Where possible, identify any function that invokes a command shell using a single string, and replace it with a function that requires individual arguments. These functions typically perform appropriate quoting and filtering of arguments. For example, in C, the system() function accepts a string that contains the entire command to be executed, whereas execl(), execve(), and others require an array of strings, one for each argument. In Windows, CreateProcess() only accepts one command at a time. In Perl, if system() is provided with an array of arguments, then it will quote each of the arguments.
  • Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • When constructing OS command strings, use stringent allowlists that limit the character set based on the expected value of the parameter in the request. This will indirectly limit the scope of an attack, but this technique is less important than proper output encoding and escaping.
  • Note that proper output encoding, escaping, and quoting is the most effective solution for preventing OS command injection, although input validation may provide some defense-in-depth. This is because it effectively limits what will appear in output. Input validation will not always prevent OS command injection, especially if you are required to support free-form text fields that could contain arbitrary characters. For example, when invoking a mail program, you might need to allow the subject field to contain otherwise-dangerous inputs like “;” and “>” characters, which would need to be escaped or otherwise handled. In this case, stripping the character might reduce the risk of OS command injection, but it would produce incorrect behavior because the subject field would not be recorded as the user intended. This might seem to be a minor inconvenience, but it could be more important when the program relies on well-structured subject lines in order to pass messages to other components.
  • Even if you make a mistake in your validation (such as forgetting one out of 100 input fields), appropriate encoding is still likely to protect you from injection-based attacks. As long as it is not done in isolation, input validation is still a useful technique, since it may significantly reduce your attack surface, allow you to detect some attacks, and provide other security benefits that proper encoding does not address.
  • Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success.
  • If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files.
  • Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
  • In the context of OS Command Injection, error information passed back to the user might reveal whether an OS command is being executed and possibly which command is being used.

References