OpenSSL 1

Tenable plugin 171079 is a bundle finding for OpenSSL 1.1.1 before 1.1.1t. The headline driver is CVE-2023-0286: an X.400 GeneralName type confusion that can expose memory or crash the process, but only when the application enables CRL checking and the attacker can usually supply both the certificate chain and the CRL. The same release also fixed CVE-2022-4304 (RSA timing oracle) plus several mostly crash-grade parsing/API bugs such as CVE-2022-4450 and CVE-2023-0215.

The vendor's HIGH label is technically understandable because OpenSSL is everywhere and the lead CVE crosses a security boundary. In real enterprise deployments, though, the exploitable path is much narrower than the label suggests: uncommon X.400 handling, CRL-specific verification behavior, custom network CRL retrieval, or legacy RSA usage. That makes this a patch-worthy library issue, not a fleet-wide fire drill.

Why this verdict

• CRL gate drops the population hard: the lead High bug only becomes interesting when the app enables CRL checking and the attacker can usually feed both the cert chain and CRL. That is a major downward adjustment from the vendor baseline because most enterprise TLS stacks do not expose that path to arbitrary remote peers.
• AC:H is doing real work here: the 7.4 CVSS is not lying about technical severity, but the high attack complexity maps to real deployment friction. This is not a default-handshake bug that every exposed HTTPS daemon will happily hand to an unauthenticated internet attacker.
• The second-best path is legacy crypto abuse, not mass exploitation: CVE-2022-4304 needs a Bleichenbacher-style timing campaign, large query volume, and favorable network conditions. Requiring legacy RSA decryption behavior and lots of trial traffic is another explicit downward adjustment.
• Most of the bundle is crash-grade or API-specific: the other February 7 fixes in 1.1.1t are mostly parser/DoS issues or misuse-prone public API problems. They matter, but they do not justify treating every 1.1.1 < 1.1.1t hit like imminent remote code execution.
• Ubiquity prevents a LOW: OpenSSL is embedded everywhere, and a few internal PKI, mutual-TLS, VPN, mail, and security products absolutely do use CRLs or brittle certificate parsing paths. That keeps this above backlog noise even after the friction audit.

Why not higher?

There is no strong evidence here of KEV listing, live mass exploitation, or a low-friction unauthenticated RCE path. The attack chain compounds downward: network reachability alone is insufficient, then CRL behavior narrows the population further, and legacy RSA timing attacks narrow it again.

Why not lower?

The lead issue can cross from crash to memory disclosure in the right application, and OpenSSL sits on critical trust boundaries. If you run custom PKI services, mTLS gateways, or products with network CRL retrieval, this bundle is very real even if it is not broadly sprayable.

1. Inventory actual CRL use — Identify which flagged services enable CRL checking or custom CRL retrieval and prioritize those first. For a MEDIUM verdict there is no mitigation SLA — fold this into normal hardening while you work toward the 365-day remediation window.
2. Disable legacy TLS_RSA where possible — Reduce exposure to the CVE-2022-4304 timing-oracle path by preferring modern forward-secret cipher suites and removing RSA key-exchange dependencies on externally reachable services. For this verdict there is no mitigation SLA, but do it during the same hardening cycle as your patch validation.
3. Constrain untrusted certificate material — For internal PKI apps, mTLS gateways, S/MIME/CMS processors, and security appliances, restrict who can feed certificate chains, CRLs, PEM, PKCS7, or CMS content into OpenSSL-backed workflows. With MEDIUM severity, use change-control windows rather than emergency blocks.
4. Restart linked services after package updates — OpenSSL fixes do nothing until processes reload the patched library. When you patch, explicitly restart or roll the services that link against libssl so the remediation actually lands inside the running process set.

Run this on the target Linux host that Nessus flagged, not from an auditor workstation. Invoke it as sudo bash ./check_openssl_111t.sh or sudo bash ./check_openssl_111t.sh /usr/bin/openssl; root is recommended so it can query package metadata and inspect common library paths.

#!/usr/bin/env bash
# check_openssl_111t.sh
# Purpose: classify OpenSSL 1.1.1 < 1.1.1t findings as VULNERABLE / PATCHED / UNKNOWN
# Notes:
# - Understands upstream OpenSSL versioning for the 1.1.1 line.
# - Includes a few common distro backport checks (Ubuntu 18.04/20.04).
# - For other distro-backported builds, outputs UNKNOWN rather than guessing.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

OPENSSL_BIN="${1:-$(command -v openssl 2>/dev/null || true)}"

say() { printf '%s\n' "$*"; }
fail_unknown() { say "UNKNOWN: $*"; exit 2; }
fail_vuln() { say "VULNERABLE: $*"; exit 1; }
pass_patched() { say "PATCHED: $*"; exit 0; }

if [[ -z "$OPENSSL_BIN" || ! -x "$OPENSSL_BIN" ]]; then
  fail_unknown "openssl binary not found; provide a path, e.g. sudo bash ./check_openssl_111t.sh /usr/bin/openssl"
fi

raw_ver="$($OPENSSL_BIN version 2>/dev/null || true)"
[[ -n "$raw_ver" ]] || fail_unknown "unable to execute openssl version"

# Extract versions like 1.1.1s, 1.1.1t, 3.0.8
ver="$(printf '%s' "$raw_ver" | awk '{print $2}')"
[[ -n "$ver" ]] || fail_unknown "could not parse OpenSSL version from: $raw_ver"

# Compare upstream 1.1.1 letter suffixes.
# Returns numeric ordinal for suffix after 1.1.1 (empty => 0, a => 1, ..., t => 20)
letter_ord() {
  local suffix="$1"
  if [[ -z "$suffix" ]]; then echo 0; return; fi
  local c
  c="${suffix:0:1}"
  printf '%d' "$(( $(printf '%d' "'${c}") - 96 ))"
}

check_upstream_111() {
  local v="$1"
  if [[ "$v" =~ ^1\.1\.1([a-z]?)$ ]]; then
    local sfx="${BASH_REMATCH[1]}"
    local ord
    ord="$(letter_ord "$sfx")"
    # 1.1.1t == 20
    if (( ord >= 20 )); then
      pass_patched "upstream OpenSSL version is $v (>= 1.1.1t)"
    else
      fail_vuln "upstream OpenSSL version is $v (< 1.1.1t)"
    fi
  fi
}

# Handle obvious upstream cases first.
if [[ "$ver" =~ ^3\.|^1\.0\.2|^1\.1\.0|^1\.0\. ]]; then
  fail_unknown "binary reports $ver; this script only verifies the Tenable 1.1.1 < 1.1.1t condition"
fi
check_upstream_111 "$ver"

# Distro package checks for common backports.
if command -v dpkg-query >/dev/null 2>&1; then
  os_release="/etc/os-release"
  distro_id=""
  distro_ver=""
  [[ -r "$os_release" ]] && . "$os_release"
  distro_id="${ID:-}"
  distro_ver="${VERSION_ID:-}"

  pkg_ver="$(dpkg-query -W -f='${Version}' libssl1.1 2>/dev/null || true)"
  if [[ -n "$pkg_ver" ]]; then
    if [[ "$distro_id" == "ubuntu" && "$distro_ver" == "20.04" ]]; then
      dpkg --compare-versions "$pkg_ver" ge "1.1.1f-1ubuntu2.17" && pass_patched "Ubuntu 20.04 libssl1.1 package is $pkg_ver (fixed >= 1.1.1f-1ubuntu2.17)"
      fail_vuln "Ubuntu 20.04 libssl1.1 package is $pkg_ver (< 1.1.1f-1ubuntu2.17)"
    fi
    if [[ "$distro_id" == "ubuntu" && "$distro_ver" == "18.04" ]]; then
      dpkg --compare-versions "$pkg_ver" ge "1.1.1-1ubuntu2.1~18.04.21" && pass_patched "Ubuntu 18.04 libssl1.1 package is $pkg_ver (fixed >= 1.1.1-1ubuntu2.1~18.04.21)"
      fail_vuln "Ubuntu 18.04 libssl1.1 package is $pkg_ver (< 1.1.1-1ubuntu2.1~18.04.21)"
    fi
    fail_unknown "dpkg package libssl1.1 is $pkg_ver; this distro may use backports not encoded in this script"
  fi
fi

if command -v rpm >/dev/null 2>&1; then
  rpm_pkg="$(rpm -q --qf '%{NAME} %{VERSION}-%{RELEASE}\n' openssl 2>/dev/null || true)"
  if [[ -n "$rpm_pkg" ]]; then
    fail_unknown "rpm reports '$rpm_pkg'; use the vendor advisory/errata stream for this distro because backports make upstream-style checks unreliable"
  fi
fi

fail_unknown "could not map this host cleanly; raw binary reports '$raw_ver' and no supported package rule matched"

Sources

1. Tenable plugin 171079
2. OpenSSL vulnerabilities advisory page
3. NVD - CVE-2023-0286
4. NVD - CVE-2022-4304
5. Ubuntu USN-5844-1 OpenSSL vulnerabilities
6. Red Hat RHSA-2023:1335
7. CERT-EU advisory 2023-007
8. Docker Scout CVE-2023-0286