tenable:160477 · OpenSSL 1.1.1 < 1.1.1o Vulnerability

01 · The Real Story

This is a spare key left in the maintenance closet, not the front door left open

Tenable plugin 160477 maps to CVE-2022-1292, a command-injection flaw in OpenSSL's c_rehash helper script, not in the core TLS handshake path. The vulnerable ranges are OpenSSL 1.1.1 through 1.1.1n, 3.0.0 through 3.0.2, and 1.0.2 through 1.0.2zd; upstream fixed them in 1.1.1o, 3.0.3, and 1.0.2ze. On some operating systems, c_rehash may be auto-invoked while processing certificate directories, which lets a malicious filename trigger shell metacharacter injection with the privileges of the script.

The scary part is the *impact* if you can hit the path; the non-scary part is that most attackers cannot. The vendor/plugin labeling gets inflated by legacy CVSS v2 10.0 and a misleading CISA-ADP 9.8 network score, but NVD's own CVSS v3.1 7.3 already shows the real constraints: local attack vector, low privileges required, user interaction required. In enterprise reality this is usually a post-initial-access edge case, often further narrowed by distro backports and by the fact that many fleets never run c_rehash at all.

"This is not a remotely reachable OpenSSL handshake bug; it is a narrow post-access script abuse case"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Get a foothold that can write into a cert path

The attacker first needs a local or authenticated position on the host, or a product workflow that lets them place files into a directory later processed by c_rehash. This is where the NVD vector matters: the exploit chain does not start from an unauthenticated network packet to OpenSSL itself. Weaponization is public; for example, the GitHub PoC alcaparra/CVE-2022-1292 demonstrates the filename-metacharacter abuse path.

Conditions required:

Local shell, authenticated application access, or another post-compromise write primitive
Ability to place or rename files in a certificate directory or a path later processed by c_rehash

Where this breaks in practice:

Requires prior access; this is not internet-to-root from a TLS socket
Many enterprise servers do not expose certificate-management workflows to untrusted users

Detection/coverage: Network scanners will not see this prerequisite. EDR, file integrity monitoring, and auditd/sysmon-style file-write telemetry are the likely controls.

STEP 02

Plant a maliciously named certificate file

The exploit relies on shell metacharacters embedded in filenames or paths that c_rehash later passes unsafely to shell-executed commands. The attacker does not need memory corruption; they need the script to build the wrong shell invocation. This is classic command injection in a maintenance helper, not a parser bug in libcrypto.

Conditions required:

c_rehash present on disk
Attacker-controlled filename or path survives validation and reaches the script

Where this breaks in practice:

Some deployments never install c_rehash, or have replaced it with openssl rehash
Application-level validation often strips path separators or shell metacharacters before files ever land

Detection/coverage: EDR can catch suspicious filenames and shell metacharacters in certificate-store directories; most vuln scanners cannot validate this path directly.

STEP 03

Wait for c_rehash to execute

The vulnerable script must then be run manually by an admin, by a package hook, or by an affected product workflow. Upstream explicitly notes that some operating systems distribute it in a way that is automatically executed, but that is a packaging/runtime detail, not a universal truth. This execution dependency is the biggest real-world brake on exploitation.

Conditions required:

c_rehash invoked on the malicious directory
Invocation happens before the malicious file is removed or noticed

Where this breaks in practice:

Many fleets never invoke c_rehash during normal operation
Admin-driven certificate work is episodic, not continuous
Container images may carry OpenSSL but never run the helper script

Detection/coverage: Process creation telemetry is strong here: look for c_rehash spawning unexpected shell children such as /bin/sh, perl, rm, curl, or wget.

STEP 04

Command execution lands with script privileges

If all prior conditions line up, the injected shell fragment executes with the privileges of the script caller, potentially root in packaging or admin contexts. That can absolutely become full host compromise, which is why this should not be ignored outright. But the blast radius is constrained by how narrow and post-access the path is.

Conditions required:

Privileged caller or sensitive runtime context
No EDR or command allowlisting block on the spawned shell/child process

Where this breaks in practice:

Modern EDR commonly catches strange shell execution from package or cert-management processes
Least-privilege packaging and immutable images reduce impact

Detection/coverage: Behavioral detections beat version checks here. Nessus plugin 160477 is version-based only and explicitly says it did not test for exploitation.

03 · Intelligence Metadata

The supporting signals.

Primary issue	CVE-2022-1292 — OpenSSL `c_rehash` command injection via unsanitized shell metacharacters
In-the-wild status	No authoritative public evidence of broad in-the-wild exploitation was found in the reviewed primary sources, and it is not listed in CISA KEV at the time of this assessment
Proof-of-concept availability	Yes. Public PoC is available at GitHub: `alcaparra/CVE-2022-1292`
EPSS	Tenable's CVE page currently shows EPSS 0.38986 (sourced from FIRST). The page does not expose percentile in the rendered view
KEV status	Absent from CISA KEV in the current catalog check; no KEV due date applies
CVSS reality check	NVD scores it 7.3 HIGH with `CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H`, which matches the actual attack chain far better than the stale CVSS v2 10.0 or CISA-ADP's 9.8 network score
Affected versions	Upstream affected ranges are 1.1.1-1.1.1n, 3.0.0-3.0.2, and 1.0.2-1.0.2zd
Fixed versions and backports	Upstream fixed in 1.1.1o / 3.0.3 / 1.0.2ze. Distro backports matter: Debian fixed in 1.1.1n-0+deb10u2 and 1.1.1n-0+deb11u2; Ubuntu addressed it in USN-5402-1 for affected releases
Scanning and exposure reality	This is a poor fit for internet exposure telemetry. Shodan/Censys-style scans can find OpenSSL-speaking services, but they cannot tell you whether `c_rehash` exists or is ever executed
Scanner caveat	Tenable plugin `160477` states Nessus did not test for the issue and instead relied on the application's self-reported version number

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.3/10)

The decisive downward pressure is that exploitation usually requires post-initial-access file placement plus execution of an obsolete helper script. This is not a remotely reachable OpenSSL protocol flaw; it is a narrow maintenance-path abuse case whose reachable population is a small subset of systems carrying the library.

HIGH Attack-path prerequisites are materially narrower than 'critical OpenSSL' headlines imply

MEDIUM Enterprise prevalence of auto-executed `c_rehash` varies by distro packaging and product embedding

Why this verdict

Start from the vendor's realistic baseline, not the legacy panic score: the meaningful baseline is NVD's 7.3 HIGH with AV:L/PR:L/UI:R, not the older 10.0 CVSS v2 or CISA-ADP's 9.8 network framing
Requires post-initial-access conditions: attacker needs local/authenticated reach plus the ability to place crafted filenames into a certificate path, which implies a prior compromise stage or a very specific app workflow
Reachable population is small: many systems have OpenSSL installed but never run c_rehash, and many modern builds use openssl rehash or omit the helper entirely
Detection and containment are stronger than average: shell spawning from cert-maintenance or package processes is noisy and commonly visible to EDR
Scanner inflation is real: Tenable's own plugin says it is version-based only, so backported distro packages and non-invoked script paths get overstated

Why not higher?

Because the exploit chain does not begin with an unauthenticated remote network request to OpenSSL. You need a foothold, a writable path, and the vulnerable helper script to run; each of those gates compounds downward pressure on severity. There is also no KEV entry or strong primary-source evidence of broad active exploitation.

Why not lower?

Because if the path is present, command execution can be real and severe, especially when c_rehash runs from privileged admin or package-management context. On shared Linux systems, cert-management appliances, or products that auto-process certificate directories, the local impact can still become full host compromise.

05 · Compensating Control

What to do — in priority order.

Inventory c_rehash — Determine whether affected hosts actually ship or invoke c_rehash; this is the fastest way to collapse false urgency. For a LOW verdict there is no SLA beyond backlog hygiene, so complete this during the next routine validation cycle and document hosts where the script is absent.
Block untrusted writes to certificate stores — Tighten permissions on certificate directories and any application workflow that imports CA bundles or PEM files. That removes the attacker-controlled filename prerequisite; for LOW severity, implement as normal hardening work rather than an emergency change.
Prefer openssl rehash — Where operationally safe, replace legacy c_rehash usage with the supported openssl rehash tool called without shell-evaluated file paths. Treat this as maintenance-cycle cleanup for this LOW issue.
Alert on shell children from cert tooling — Create EDR/process alerts for c_rehash, package hooks, or certificate-maintenance jobs spawning /bin/sh, bash, curl, or wget. This is a practical detective control for the narrow exploitation path and can be rolled out in standard detection engineering cadence.

What doesn't work

A perimeter WAF does not help; the vulnerable surface is a local helper script, not a web request parser
Internet-facing TLS service scans do not prove exploitability; they can see OpenSSL exposure, not whether c_rehash exists or runs
Relying on the OpenSSL version string alone does not work on backported distros like Debian and Ubuntu, where patched packages may still report older upstream base versions

06 · Verification

Crowdsourced verification payload.

Run this on the target Linux host that Nessus flagged, not from an auditor workstation. Invoke it as bash check-cve-2022-1292.sh; no root is required, though sudo helps if package metadata access is restricted. The script checks whether c_rehash is present, then uses distro/package evidence and upstream version thresholds to print VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-cve-2022-1292.sh
# Purpose: assess likely exposure to OpenSSL c_rehash command injection (CVE-2022-1292)
# Output: VULNERABLE | PATCHED | UNKNOWN
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

say() { printf '%s\n' "$1"; }
ver_ge() {
  # returns 0 if $1 >= $2 using sort -V
  [ "$(printf '%s\n%s\n' "$2" "$1" | sort -V | head -n1)" = "$2" ]
}

OS_ID="unknown"
OS_VER="unknown"
if [ -r /etc/os-release ]; then
  . /etc/os-release
  OS_ID="${ID:-unknown}"
  OS_VER="${VERSION_ID:-unknown}"
fi

# Locate c_rehash
CREHASH=""
for p in "$(command -v c_rehash 2>/dev/null || true)" /usr/bin/c_rehash /usr/sbin/c_rehash /usr/local/bin/c_rehash /usr/local/ssl/bin/c_rehash; do
  if [ -n "$p" ] && [ -e "$p" ]; then
    CREHASH="$p"
    break
  fi
done

if [ -z "$CREHASH" ]; then
  say "PATCHED - c_rehash not found on this host; the vulnerable helper path is absent"
  exit 0
fi

# Prefer package-manager evidence because distro backports are common.
if command -v dpkg-query >/dev/null 2>&1 && command -v dpkg >/dev/null 2>&1; then
  PKG_VER="$(dpkg-query -W -f='${Version}' openssl 2>/dev/null || true)"
  if [ -n "$PKG_VER" ]; then
    case "$OS_ID:$OS_VER" in
      debian:10)
        if dpkg --compare-versions "$PKG_VER" ge "1.1.1n-0+deb10u2"; then
          say "PATCHED - Debian 10 openssl package version $PKG_VER includes the fix/backport"
          exit 0
        else
          say "VULNERABLE - Debian 10 openssl package version $PKG_VER is older than 1.1.1n-0+deb10u2"
          exit 1
        fi
        ;;
      debian:11)
        if dpkg --compare-versions "$PKG_VER" ge "1.1.1n-0+deb11u2"; then
          say "PATCHED - Debian 11 openssl package version $PKG_VER includes the fix/backport"
          exit 0
        else
          say "VULNERABLE - Debian 11 openssl package version $PKG_VER is older than 1.1.1n-0+deb11u2"
          exit 1
        fi
        ;;
      ubuntu:22.04)
        # Ubuntu Jammy fixed via USN-5402-1
        if dpkg --compare-versions "$PKG_VER" ge "3.0.2-0ubuntu1.1"; then
          say "PATCHED - Ubuntu 22.04 openssl package version $PKG_VER includes the fix/backport"
          exit 0
        else
          say "VULNERABLE - Ubuntu 22.04 openssl package version $PKG_VER is older than 3.0.2-0ubuntu1.1"
          exit 1
        fi
        ;;
    esac
  fi
fi

if command -v rpm >/dev/null 2>&1; then
  if rpm -q openssl >/dev/null 2>&1; then
    if rpm -q --changelog openssl 2>/dev/null | grep -q 'CVE-2022-1292'; then
      say "PATCHED - rpm changelog for openssl references CVE-2022-1292 backport"
      exit 0
    fi
  fi
fi

# Fall back to upstream version-string logic for source builds or non-backported installs.
OPENSSL_VER_RAW="$(openssl version 2>/dev/null || true)"
OPENSSL_VER="$(printf '%s' "$OPENSSL_VER_RAW" | awk '{print $2}')"
if [ -n "$OPENSSL_VER" ]; then
  case "$OPENSSL_VER" in
    1.1.1*)
      if ver_ge "$OPENSSL_VER" "1.1.1o"; then
        say "PATCHED - upstream OpenSSL version $OPENSSL_VER is >= 1.1.1o"
        exit 0
      else
        say "VULNERABLE - upstream OpenSSL version $OPENSSL_VER is < 1.1.1o and c_rehash is present"
        exit 1
      fi
      ;;
    3.0.*)
      if ver_ge "$OPENSSL_VER" "3.0.3"; then
        say "PATCHED - upstream OpenSSL version $OPENSSL_VER is >= 3.0.3"
        exit 0
      else
        say "VULNERABLE - upstream OpenSSL version $OPENSSL_VER is < 3.0.3 and c_rehash is present"
        exit 1
      fi
      ;;
    1.0.2*)
      if ver_ge "$OPENSSL_VER" "1.0.2ze"; then
        say "PATCHED - upstream OpenSSL version $OPENSSL_VER is >= 1.0.2ze"
        exit 0
      else
        say "VULNERABLE - upstream OpenSSL version $OPENSSL_VER is < 1.0.2ze and c_rehash is present"
        exit 1
      fi
      ;;
  esac
fi

say "UNKNOWN - c_rehash exists, but package/backport status could not be proven from available metadata"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, do not treat plugin 160477 like a front-burner internet RCE. First, validate whether affected Linux images actually carry and execute c_rehash, and clear version-only false positives caused by distro backports; after that, fold genuine residual cases into routine OS/library maintenance. For this LOW verdict there is no noisgate mitigation SLA and no noisgate remediation SLA—treat it as backlog hygiene, document not-applicable hosts, and patch real exposures in the next normal maintenance cycle rather than burning an emergency window.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.