Reduce OpenSSL 3.0 vulnerabilities risks with Microsoft Defender Vulnerability Management

On November 1, 2022 the OpenSSL team published two high severity vulnerabilities: CVE-2022-3602 and CVE-2022-3786. Any OpenSSL versions between 3.0.0 and 3.0.6 are affected and the guidance is OpenSSL 3.0 users should expedite upgrade to OpenSSL v 3.0.7 to reduce the impact of this threat.

Microsoft customers can use Defender Vulnerability Management to identify devices that have these vulnerabilities in their organizations and track their patching process to minimize risks. Defender Vulnerability Management is a risk-based vulnerability management platform within Microsoft 365 Defender portal to help organizations reduce cyber risk with continuous vulnerability discovery, risk-based prioritization, and remediation.

Microsoft Defender for Cloud customers can use Defender Vulnerability Management to identify vulnerabilities in the software installed on VMs and other capabilities highlighted below.

Identify vulnerable assets

Figure 1. Within Microsoft 365 Defender Portal, Defender Vulnerability Management can be accessed on the left navigation menu. OpenSSL CVEs are shown in the ‘Weaknesses’ page.

Figure 2. The detailed CVE page shows the consolidated view of the organizational exposure of the 2 OpenSSL vulnerabilities (CVE-2022-3786 is shown as an example in the following screenshots).

Figure 3. Defender Vulnerability Management finds exposed devices based on vulnerable software and vulnerable files detected on disk.

Figure 4. The ‘Security Recommendations’ tab shows the available recommendations for this CVE. Clicking on a recommendation provides additional details and the option to request remediation.

Track patching on vulnerable assets

Figure 5. By issuing a ‘request remediation’, users can track the patching process of exposed devices. Submitting a remediation request creates a remediation activity item within vulnerability management, which can be used for monitoring the remediation progress for this recommendation. 

___

Advanced hunting

Microsoft customers can also use the below advanced hunting query and 'DeviceTvmSoftwareVulnerabilities' table to detect assets running the affected OpenSSL versions.

DeviceTvmSoftwareVulnerabilities

| where CveId in ("CVE-2022-3786", "CVE-2022-3602")

For count of vulnerable devices by operating system, users can execute the below query:

DeviceTvmSoftwareVulnerabilities

| where CveId in ("CVE-2022-3786", "CVE-2022-3602")

| summarize dcount(DeviceId) by OSPlatform, SoftwareVendor

___

Next steps:

Read more about how you can address the OpenSSL vulnerability with Microsoft Defender for Cloud.

If you haven’t already, sign up for a free 6-month trial of Microsoft Defender Vulnerability Management.

We will continue to update this article with the necessary updates.