trailofbits.generic.openssl-insecure-flags.openssl-insecure-flags

profile photo of trailofbitstrailofbits
Author
unknown
Download Count*
CC BY-NC-SA 4.0
License

Found openssl command using insecure flags

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: openssl-insecure-flags
    message: Found `openssl` command using insecure flags
    languages:
      - generic
    severity: WARNING
    metadata:
      category: security
      subcategory:
        - audit
      technology:
        - shell
      cwe: "CWE-295: Improper Certificate Validation"
      confidence: MEDIUM
      likelihood: MEDIUM
      impact: HIGH
      references:
        - https://www.openssl.org/docs/manmaster/man1/
      license: AGPL-3.0 license
      vulnerability_class:
        - Improper Authentication
    pattern-either:
      - pattern: "openssl ... -pass pass:"
      - pattern: "openssl ... -passin pass:"
      - pattern: "openssl ... -passout pass:"
      - pattern: "openssl ... -nodes "
      - pattern: "openssl ... -noenc "
      - pattern: "openssl ... -sha1 "

Examples

openssl-insecure-flags.sh

#!/bin/bash

# ruleid: openssl-insecure-flags
openssl genpkey -algorithm RSA -out private_key.pem -aes-256-cbc -pass pass:mysecretpass

# ok: openssl-insecure-flags
openssl genpkey -algorithm RSA -out private_key.pem --noencsomeotherflag

# ok: openssl-insecure-flags
openssl genpkey -algorithm RSA -out private_key.pem -aes-256-cbc -pass env:PASSVAR