Forum Discussion

sumo83's avatar
sumo83
Iron Contributor
Nov 13, 2023

Update OpenSSL recommendation

Hi all,

 

I've been trying to find out how to deal with "openssl" recommendation that I get on almost all end user computers in Defender.

 

I'm just not sure how to deal with it... It doesn't seem to be a particular app or so.... From what I see when I check the "software inventory" page of the devices, there are many references to different files/dll?? See some few examples below:

 

  • c:\program files\windowsapps\e046963f.aimeetingmanager_3.1.18.0_x64__k1h2ywk1493x8\aimeetingmanager\libcrypto-3-x64.dll
  • c:\program files\zoom\bin\libcrypto-3-zm.dll
  • c:\program files\dell\dell peripheral manager\libcrypto-1_1-x64.dll
  • c:\windows\system32\driverstore\filerepository\udcdriver.inf_amd64_d70e6df8e9ed1889\x64\service\libssl-1_1-x64.dll

 

How you deal with it? .. is that something that can be pushed via Intune..?

 

  • Sam_G_R's avatar
    Sam_G_R
    Copper Contributor

     

    sumo83 
    This is messy - and I feel your pain. 
    I determined most of my affected versions were in c:\Program Files\.... 
    Git was one, some of the ones you listed and some of the ones listed in one of the other references. 
    I download the most current version of OpenSSL for Windows using version 3.1.4 and copied out the libcrypto and libssl files into a separate folder. 

    15204 2023-Oct-24 13:59:15 openssl-3.1.4.tar.gz (SHA256) (PGP sign) (SHA1)

    and then did a basic PowerShell script to locate and replace all of the out of date libcrypto-3 and libssl-3 versions. 

    Since MS puts special permissions on the PowerBI desktop directory, it failed to update those. Have to do further work there. I don't have the option to remove some or most of these applications. 
    I need to develop a tweak for Zoom with the customized file naming. 
    I did not include appdata locations, looks like I need to address those. 

    However, as soon as the script ran, 3.1.4 now shows as vulnerable. 
    In addition, my script does not account for if the files are in use and skips that directory. I guess I should set this up to run at startup somehow.  


    I then found machines with the 32 bit versions as well. 

    Also note that OpenSSL 1.x is no longer supported and needs to be replaced. Not sure where to even get started there, other than to keep patching the applications that use OpenSSL as dependencies until they catch up.


    This is just one machine - 
    c:\program files\dell\dell peripheral manager\libcrypto-1_1-x64.dll
    c:\program files\microsoft onedrive\23.226.1031.0003\libcrypto-1_1-x64.dll
    %userprofile%\appdata\local\programs\cisco spark\dependencies\libcrypto-1_1-x64.dll
    %userprofile%\appdata\local\webex\wbxcache\webexdelta\x64\43.10.1-9\meetings\libcrypto-1_1-x64.dll
    %userprofile%\appdata\local\webex\wbxcache\webexdelta\x64\43.10.1-9\meetings\libcrypto-1_1-x64.dll
    c:\windows\system32\driverstore\filerepository\iclsclient.inf_amd64_367008a610747d24\lib\libcrypto-1_1-x64.dll


    PowerShell script for replacement - 

    This needs lots of additional work - I don't spend enough time in PS - 
    I had to continue through parsing errors for the Power BI Directory, as well as for files in use issues during the file replacement. 
    The last three lines were used to create an easy way to get verification that it ran. 
    I then wrapped it with a folder that contained the updated lib-3 files and rolled it out as a Win32 application. Someone that is more practiced with PS could really improve this. 

     

    #SourceFiles
    $source="$psscriptroot\openssl_dll\libcrypto-3-x64.dll"
    $source2="$psscriptroot\openssl_dll\libssl-3-x64.dll"
    #Target Folder (files in this folder will be replaced with files from source folder if match found)
    $TARGET=gci -recurse -Path "C:\Program Files\" -Filter "libcrypto-3-x64.dll" -ErrorAction SilentlyContinue| where { $_.VersionInfo.ProductVersion -lt '3.1.4'}

    foreach ($folder in $TARGET)
    {

    Copy-Item -Path $source -Destination $folder.FullName -Force | Out-Null

    }

    $TARGET2=gci -recurse -Path "C:\Program Files\" -Filter "libssl-3-x64.dll" -ErrorAction SilentlyContinue| where { $_.VersionInfo.ProductVersion -lt '3.1.4'}


    foreach ($folder in $TARGET2)
    {
    Copy-Item -Path $source2 -Destination $folder.FullName -Force | Out-Null

    #Successful run 
    }

    if (-not (Test-Path "$($env:ProgramData)\OpenSSL_update3.1.4"))
    {
    Mkdir "$($env:ProgramData)\OpenSSL_update3.1.4"
    }
    Set-Content -Path "$($env:ProgramData)\OpenSSL_update3.1.4\openssl.txt" -Value "Script executed!"


    Lastly - Microsoft needs to address their out of date usage of dependencies - not only are OpenSSL components out of date, I now have my vulnerability scanner I use for our servers reporting that I have a critical Curl/libcurl flaw on the servers - 
    And it turns out to the Microsoft MDATP agent. 

    CVSSV3 9.8

    /opt/microsoft/mdatp/lib/libcurl.so.4 
    version:  : 7.79.1


    As it is being used, I don't believe it is an issue. Not sure if I can do a rip and replace of the libcurl.so file and have it work.

     

     

    • TecEFX's avatar
      TecEFX
      Copper Contributor

      Sam_G_R     & 

      sumo83 

      I have a similar issue pointing to an unpublished CVE 2024-4741. This CVE show as "reserved" but openssl-library.org has an advisory here: 

      openssl-library.org/news/secadv/20240528.txt

      I am assuming this is still being investigated.  1. Add this vulnerability to your risk register.  2. Evaluate affected clients against risk tolerance.

      Warning - I have read that the DLL's are hardcoded in the applications that use them, so take a snapshot on a VM before removing the previous versions.  Stop services, close handles, and use the takeown PowerShell command to remove / replace libssl-3-x64.dll.

      3. Remove vulnerable applications if possible.  4. Identify alternative controls for mission critical systems.  5. Update your legal department to ensure effective cyber insurance coverage.

  • LeonPavesic's avatar
    LeonPavesic
    Silver Contributor

    Hi sumo83,

    thanks for your question.

     

    As per a post on the https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/new-openssl-v3-vulnerability-prepare-with-microsoft-defender-for/ba-p/3666487,  the OpenSSL team has identified two high-severity vulnerabilities: CVE-2022-3602 and CVE-2022-3786.

    All OpenSSL versions between 3.0.0 and 3.0.6 are affected, and users of OpenSSL 3.x are advised to promptly upgrade to version 3.0.7 to mitigate the potential impact of these vulnerabilities.


    To address this vulnerability, follow the instruction in the [Microsoft Defender for Cloud](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/new-openssl-v3-vulnerability-prepare-with-microsoft-defender-for/ba-p/3666487) blog post.

    Microsoft Defender for Cloud offers various methods to quickly assess vulnerability and prioritize actions. Utilize attack path analysis to identify and prioritize remediation for workloads posing the highest risk to your organization. The cloud security explorer allows you to hunt for all impacted workloads related to the OpenSSL v3 vulnerability, offering additional context for prioritization. Leverage vulnerability assessments for VMs, containers, and container images to prioritize remediation for the most critical workloads.

     

    You can use these links for more information:
    (1) [New OpenSSL v3 vulnerability: prepare with Microsoft Defender for Cloud](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/new-openssl-v3-vulnerability-prepare-with-microsoft-defender-for/ba-p/3666487)
    (2) [CERT-EU - UPDATE: OpenSSL Critical Vulnerability](https://cert.europa.eu/publications/security-advisories/2022-073/)
    (3) [OpenSSL: Update zum Schließen der kritischen Sicherheitslücke verfügbar - heise online](https://www.heise.de/news/OpennSSL-Update-zum-Schliessen-der-kritischen-Sicherheitsluecke-verfuegbar-7326009.html)

    Please click Mark as Best Response & Like if my post helped you to solve your issue.
    This will help others to find the correct solution easily. It also closes the item.


    If the post was useful in other ways, please consider giving it Like.


    Kindest regards,


    Leon Pavesic
    (LinkedIn)

    • sumo83's avatar
      sumo83
      Iron Contributor
      thank you for the info.... I'm wondering... for example a VM that I run in AZURE and shows the below:

      c:\packages\plugins\microsoft.azure.security.monitoring.azuresecuritywindowsagent\1.8.0.76\libcrypto-1_1-x64.dll
      c:\packages\plugins\microsoft.azure.security.monitoring.azuresecuritywindowsagent\1.8.0.76\libssl-1_1-x64.dll
      c:\packages\plugins\microsoft.guestconfiguration.configurationforwindows\1.29.44.0\dsc\gc\libcrypto-1_1-x64.dll
      c:\packages\plugins\microsoft.guestconfiguration.configurationforwindows\1.29.44.0\dsc\gc\libssl-1_1-x64.dll

      Will manual upgrading of openssl to newer version help with those references? Or do I somehow update them?

Resources