OpenSSL 1

Plugin tenable:173260 rolls up four OpenSSL issues for 1.1.1 before 1.1.1u: CVE-2023-0464, CVE-2023-0465, CVE-2023-0466, and CVE-2023-2650. Three are certificate-policy verification edge cases, and the fourth is a slow ASN.1 OBJECT IDENTIFIER parsing bug. In plain English: an attacker needs the application to either explicitly enable non-default X.509 policy checks or to feed untrusted ASN.1 into OBJ_obj2txt() / similar niche parsing paths; this is not an OpenSSL-is-generally-RCE situation.

The vendor MEDIUM label is defensible only in a vacuum. In real enterprise deployments, this deserves a downgrade to LOW because the reachable population is much smaller than the score suggests: policy checks are disabled by default, OpenSSL itself says those policy bugs are Low, and it also says CVE-2023-2650 is effectively low concern on 1.1.1 unless an application directly calls the vulnerable translation path on attacker-controlled data.

Why this verdict

• Default-off prerequisite: three of the four CVEs need certificate policy checking to be enabled, and OpenSSL says those checks are disabled by default; that is strong downward pressure from the vendor MEDIUM baseline.
• 1.1.1-specific reality check: OpenSSL states CVE-2023-2650 is only low concern on 1.1.1/1.0.2 unless an application directly calls OBJ_obj2txt() with untrusted data. The noisier, more broadly reachable 3.x parsing scenarios do not map cleanly to this plugin.
• No exploit pressure: no KEV listing, no public weaponized exploit trend, and Tenable says no known exploits are available. Without active abuse, this stays a narrow engineering flaw rather than an incident-driver.

Why not higher?

There is no default, broad, unauthenticated internet RCE story here. The attacker usually needs a specific application behavior that many enterprises never enable, and the likely outcomes are limited to policy bypass in niche PKI workflows or process-level DoS rather than whole-host takeover.

Why not lower?

It is still a real security defect family, not pure false positive noise. PKI-heavy environments, custom certificate-validation code, middleware doing signed-message parsing, or internal services ingesting attacker-controlled ASN.1 can absolutely make these bugs operationally relevant on the wrong app.

1. Validate the code path before you escalate — For a LOW verdict, there is no mitigation SLA; use the next routine review cycle to confirm whether the affected application enables certificate policy checking or passes untrusted ASN.1 into OBJ_obj2txt(). If the answer is no, document the rationale and avoid treating every OpenSSL 1.1.1 hit as equally urgent.
2. Prefer vendor or distro backport truth over raw version strings — Check package changelogs or vendor advisories before opening emergency work. Debian, for example, fixed these in backported package releases that still present an older upstream-looking base version; do that validation during normal backlog triage for this LOW item.
3. Constrain untrusted certificate and ASN.1 inputs — Where you own the application stack, add message-size limits and avoid unnecessary certificate-policy validation paths. Do this in normal maintenance because there is no noisgate mitigation SLA for a LOW finding, but it materially reduces the only realistic abuse path here.
4. Monitor for service-level stress, not just CVE presence — Because the practical failure mode is more likely latency or CPU burn than silent compromise, make sure the services using OpenSSL have process CPU, request latency, and auth-failure telemetry. That is the best operational hedge while the patch sits in backlog hygiene.

Run this on the target host or golden image that triggered plugin 173260. Invoke it as python3 verify_openssl_173260.py /usr/bin/openssl or just python3 verify_openssl_173260.py; no admin rights are required for the basic binary check, but package-manager backport validation works best with normal local package query access.

#!/usr/bin/env python3
# verify_openssl_173260.py
# Check whether a host appears vulnerable to Nessus plugin 173260
# (OpenSSL 1.1.1 < 1.1.1u multiple vulnerabilities).
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

import os
import re
import shutil
import subprocess
import sys

EXIT_PATCHED = 0
EXIT_VULNERABLE = 1
EXIT_UNKNOWN = 2


def run(cmd):
    try:
        p = subprocess.run(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, timeout=10)
        return p.returncode, (p.stdout or '').strip(), (p.stderr or '').strip()
    except Exception as e:
        return 99, '', str(e)


def dpkg_compare(v1, op, v2):
    if not shutil.which('dpkg'):
        return None
    rc, _, _ = run(['dpkg', '--compare-versions', v1, op, v2])
    return rc == 0


def check_debian_backport():
    if not shutil.which('dpkg-query'):
        return None

    candidates = []
    for pkg in ['openssl', 'libssl1.1']:
        rc, out, _ = run(['dpkg-query', '-W', '-f=${Package}\t${Version}\n', pkg])
        if rc == 0 and out:
            candidates.extend([line for line in out.splitlines() if line.strip()])

    if not candidates:
        return None

    for line in candidates:
        try:
            pkg, ver = line.split('\t', 1)
        except ValueError:
            continue

        # Known fixed Debian backports for these CVEs
        fixed_versions = [
            '1.1.1n-0+deb11u5',
            '1.1.1n-0+deb10u5',
        ]

        for fixed in fixed_versions:
            if dpkg_compare(ver, 'ge', fixed):
                return ('PATCHED', f'{pkg} package version {ver} includes a known Debian backport at or above {fixed}')

        if ver.startswith('1.1.1'):
            return ('VULNERABLE', f'{pkg} package version {ver} is older than the known Debian fixed backports checked by this script')

    return None


def parse_openssl_version(text):
    # Examples:
    # OpenSSL 1.1.1t  7 Feb 2023
    # OpenSSL 1.1.1u  30 May 2023
    m = re.search(r'OpenSSL\s+(\d+\.\d+\.\d+)([a-z]*)', text)
    if not m:
        return None, None
    return m.group(1), m.group(2) or ''


def check_binary(path):
    rc, out, err = run([path, 'version', '-v'])
    if rc != 0:
        return ('UNKNOWN', f'failed to query {path}: {err or out or "no output"}')

    core, suffix = parse_openssl_version(out)
    if not core:
        return ('UNKNOWN', f'unrecognized version output from {path}: {out}')

    if core != '1.1.1':
        return ('UNKNOWN', f'{path} reports OpenSSL {core}{suffix}; plugin 173260 is specifically for the 1.1.1 < 1.1.1u branch')

    if suffix == '':
        return ('VULNERABLE', f'{path} reports OpenSSL 1.1.1 with no patch letter; this is older than 1.1.1u')

    if suffix < 'u':
        return ('VULNERABLE', f'{path} reports OpenSSL 1.1.1{suffix}; this is older than 1.1.1u')

    return ('PATCHED', f'{path} reports OpenSSL 1.1.1{suffix}; this is at or above 1.1.1u')


def main():
    if len(sys.argv) > 2:
        print('UNKNOWN - usage: python3 verify_openssl_173260.py [path_to_openssl]')
        sys.exit(EXIT_UNKNOWN)

    # Debian backport check first, because raw openssl version strings can be misleading there.
    deb = check_debian_backport()
    if deb:
        state, msg = deb
        print(f'{state} - {msg}')
        sys.exit(EXIT_PATCHED if state == 'PATCHED' else EXIT_VULNERABLE)

    path = sys.argv[1] if len(sys.argv) == 2 else shutil.which('openssl')
    if not path:
        print('UNKNOWN - openssl binary not found in PATH; provide an explicit path')
        sys.exit(EXIT_UNKNOWN)

    state, msg = check_binary(path)
    print(f'{state} - {msg}')
    if state == 'PATCHED':
        sys.exit(EXIT_PATCHED)
    if state == 'VULNERABLE':
        sys.exit(EXIT_VULNERABLE)
    sys.exit(EXIT_UNKNOWN)


if __name__ == '__main__':
    main()

Sources

1. Tenable Nessus Plugin 173260
2. OpenSSL Security Advisory 2023-03-22 (CVE-2023-0464)
3. OpenSSL Security Advisory 2023-03-28 (CVE-2023-0465 / CVE-2023-0466)
4. OpenSSL Security Advisory 2023-05-30 (CVE-2023-2650)
5. OpenSSL 1.1.1 Series Release Notes
6. NVD CVE-2023-0464
7. CISA Known Exploited Vulnerabilities Catalog
8. Debian DSA-5417-1 openssl security update