trailofbits.generic.openssl-insecure-flags.openssl-insecure-flags
trailofbits
Author
unknown
Download Count*
License
Found openssl
command using insecure flags
Run Locally
Run in CI
Defintion
rules:
- id: openssl-insecure-flags
message: Found `openssl` command using insecure flags
languages:
- generic
severity: WARNING
metadata:
category: security
subcategory:
- audit
technology:
- shell
cwe: "CWE-295: Improper Certificate Validation"
confidence: MEDIUM
likelihood: MEDIUM
impact: HIGH
references:
- https://www.openssl.org/docs/manmaster/man1/
license: AGPL-3.0 license
vulnerability_class:
- Improper Authentication
pattern-either:
- pattern: "openssl ... -pass pass:"
- pattern: "openssl ... -passin pass:"
- pattern: "openssl ... -passout pass:"
- pattern: "openssl ... -nodes "
- pattern: "openssl ... -noenc "
- pattern: "openssl ... -sha1 "
Examples
openssl-insecure-flags.sh
#!/bin/bash
# ruleid: openssl-insecure-flags
openssl genpkey -algorithm RSA -out private_key.pem -aes-256-cbc -pass pass:mysecretpass
# ok: openssl-insecure-flags
openssl genpkey -algorithm RSA -out private_key.pem --noencsomeotherflag
# ok: openssl-insecure-flags
openssl genpkey -algorithm RSA -out private_key.pem -aes-256-cbc -pass env:PASSVAR
Short Link: https://sg.run/pKL5k