OpenSSL 1

The Nessus plugin maps to CVE-2022-2068, a command injection bug in OpenSSL's c_rehash helper script, not in the TLS handshake path itself. For the 1.1.1 train, affected versions are 1.1.1 through 1.1.1o; upstream fixed it in 1.1.1p on 2022-06-21. The bug triggers when c_rehash processes attacker-controlled certificate filenames containing shell metacharacters, and impact depends on whether that script is present and actually executed on the host.

Calling this CRITICAL is reality-blind. Upstream OpenSSL rated it Moderate on June 21, 2022, and NVD later corrected its scoring on September 3, 2025 from a network-style 9.8 to a local/user-interaction 7.3, which matches the real attack path much better. The decisive friction is that most enterprises are not exposing c_rehash to unauthenticated remote attackers; you usually need a prior foothold, write access to a cert path or package flow, and a vulnerable script invocation.

Why this verdict

• Local/script-path requirement: NVD's corrected vector is AV:L/PR:L/UI:R, which fits the real-world chain far better than the stale network-style 9.8.
• Execution precondition narrows exposure: vulnerable code sits in the legacy c_rehash helper, not the routine TLS data path. If your hosts never run that script, the attack path dies.
• Reachable population is smaller than the package count: many scanners flag on OpenSSL version alone, but Tenable admits this check is self-reported versioning, so backported distro packages inflate noise.
• Impact is real when reached: if the script runs with elevated privileges, the attacker can get arbitrary command execution on that host. That keeps this above LOW.

Why not higher?

This is not the internet-facing OpenSSL catastrophe people imagine when they see a scary version banner. The attacker typically needs prior access, a path to plant a malicious cert filename, and a vulnerable script invocation; each prerequisite sharply reduces real exposure.

Why not lower?

Once the chain is reachable, the end state is legitimate command execution with the script's privileges, which can be root in package-hook contexts. That is too much impact to dismiss as backlog-only hygiene, especially on Linux servers with certificate automation.

1. Disable or remove c_rehash where unused — If your estate does not operationally need the legacy helper, eliminate the attack surface outright and standardize on openssl rehash. For this MEDIUM verdict there is no mitigation SLA; treat this as cleanup you can deploy opportunistically while moving toward the remediation window.
2. Lock down certificate directories — Restrict write access on certificate and CRL directories to root and trusted package-management identities only. This directly attacks the first prerequisite in the chain and should be folded into normal Linux hardening baselines.
3. Monitor for suspicious child processes from package hooks — Create EDR or audit rules for c_rehash, package post-install scripts, and unexpected shell spawns from cert-management contexts. That gives you a fighting chance to catch exploitation attempts even on systems that remain unpatched during normal maintenance.
4. Validate backports before opening change windows — Do not churn thousands of hosts based on upstream version strings alone. Confirm whether your distro already backported the fix, then remediate the truly exposed systems inside the standard patch cycle.

Run this on the target Linux host as a regular user; root is not required unless your cert tooling paths are unreadable. Save it as check-cve-2022-2068.sh and run bash check-cve-2022-2068.sh; it prints VULNERABLE, PATCHED, or UNKNOWN and exits 1, 0, or 2 respectively.

#!/usr/bin/env bash
# check-cve-2022-2068.sh
# Detect likely exposure to OpenSSL c_rehash command injection (CVE-2022-2068)
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

say() { printf '%s\n' "$1"; }

find_c_rehash() {
  local p
  for p in "$(command -v c_rehash 2>/dev/null)" /usr/bin/c_rehash /usr/sbin/c_rehash /usr/local/bin/c_rehash /usr/lib/ssl/misc/c_rehash; do
    [ -n "$p" ] && [ -f "$p" ] && { printf '%s' "$p"; return 0; }
  done
  return 1
}

get_openssl_ver() {
  if ! command -v openssl >/dev/null 2>&1; then
    return 1
  fi
  openssl version 2>/dev/null | awk '{print $2}'
}

# Return 0 if c_rehash appears patched for CVE-2022-2068, 1 otherwise.
# This uses a content fingerprint from upstream's fixed script; distro backports may differ.
patched_script_fingerprint() {
  local f="$1"
  [ -r "$f" ] || return 1
  grep -q 'sub copy_file' "$f" && return 0
  return 1
}

# Return 0 if version falls in an upstream vulnerable range, 1 if not, 2 if unparseable/package-backport likely.
version_in_vuln_range() {
  local v="$1"

  # Distro package versions often contain backport suffixes after '-'. Those need manual/vendor validation.
  if printf '%s' "$v" | grep -q -- '-'; then
    return 2
  fi

  # 1.1.1 branch: vulnerable up to 1.1.1o inclusive; fixed in 1.1.1p
  if printf '%s' "$v" | grep -Eq '^1\.1\.1([a-o]?)$'; then
    return 0
  fi
  if printf '%s' "$v" | grep -Eq '^1\.1\.1[p-z].*$'; then
    return 1
  fi

  # 3.0 branch: vulnerable 3.0.0-3.0.3; fixed in 3.0.4+
  if printf '%s' "$v" | grep -Eq '^3\.0\.[0-3]$'; then
    return 0
  fi
  if printf '%s' "$v" | grep -Eq '^3\.0\.[4-9].*$|^3\.[1-9]\..*$'; then
    return 1
  fi

  # 1.0.2 branch: vulnerable through 1.0.2ze; fixed in 1.0.2zf
  if printf '%s' "$v" | grep -Eq '^1\.0\.2([a-e]?[a-z]?)$'; then
    case "$v" in
      1.0.2zf|1.0.2zg|1.0.2zh|1.0.2zi|1.0.2zj|1.0.2zk|1.0.2zl|1.0.2zm|1.0.2zn|1.0.2zo|1.0.2zp|1.0.2zq|1.0.2zr|1.0.2zs|1.0.2zt|1.0.2zu|1.0.2zv|1.0.2zw|1.0.2zx|1.0.2zy|1.0.2zz) return 1 ;;
      *) return 0 ;;
    esac
  fi

  return 2
}

main() {
  local c_rehash=""
  local ov=""

  c_rehash="$(find_c_rehash 2>/dev/null || true)"
  ov="$(get_openssl_ver 2>/dev/null || true)"

  if [ -n "$c_rehash" ] && patched_script_fingerprint "$c_rehash"; then
    say "PATCHED"
    exit 0
  fi

  if [ -z "$ov" ]; then
    if [ -z "$c_rehash" ]; then
      say "UNKNOWN"
      exit 2
    fi
    # Script exists but we cannot determine linked OpenSSL state reliably.
    say "UNKNOWN"
    exit 2
  fi

  version_in_vuln_range "$ov"
  case $? in
    0)
      if [ -z "$c_rehash" ]; then
        # Vulnerable library train but helper script absent => attack path not present for this CVE.
        say "PATCHED"
        exit 0
      fi
      if patched_script_fingerprint "$c_rehash"; then
        say "PATCHED"
        exit 0
      fi
      say "VULNERABLE"
      exit 1
      ;;
    1)
      say "PATCHED"
      exit 0
      ;;
    2)
      # Likely distro backport or unparseable version; try script fingerprint as best-effort.
      if [ -n "$c_rehash" ] && patched_script_fingerprint "$c_rehash"; then
        say "PATCHED"
        exit 0
      fi
      say "UNKNOWN"
      exit 2
      ;;
  esac
}

main

Sources

1. Tenable plugin 162420
2. OpenSSL Security Advisory 2022-06-21
3. NVD CVE-2022-2068
4. Red Hat bugzilla for CVE-2022-2068
5. Ubuntu USN-5488-1
6. CISA Known Exploited Vulnerabilities Catalog
7. CVEDetails EPSS display for CVE-2022-2068
8. fraf0 GitLab attack-vector analysis