Update OpenSSL recommendation

Iron Contributor

Hi all,

 

I've been trying to find out how to deal with "openssl" recommendation that I get on almost all end user computers in Defender.

 

I'm just not sure how to deal with it... It doesn't seem to be a particular app or so.... From what I see when I check the "software inventory" page of the devices, there are many references to different files/dll?? See some few examples below:

 

  • c:\program files\windowsapps\e046963f.aimeetingmanager_3.1.18.0_x64__k1h2ywk1493x8\aimeetingmanager\libcrypto-3-x64.dll
  • c:\program files\zoom\bin\libcrypto-3-zm.dll
  • c:\program files\dell\dell peripheral manager\libcrypto-1_1-x64.dll
  • c:\windows\system32\driverstore\filerepository\udcdriver.inf_amd64_d70e6df8e9ed1889\x64\service\libssl-1_1-x64.dll

 

How you deal with it? .. is that something that can be pushed via Intune..?

 

9 Replies

Hi @sumo83,

thanks for your question.

 

As per a post on the https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/new-openssl-v3-vulnerability-pre...,  the OpenSSL team has identified two high-severity vulnerabilities: CVE-2022-3602 and CVE-2022-3786.

All OpenSSL versions between 3.0.0 and 3.0.6 are affected, and users of OpenSSL 3.x are advised to promptly upgrade to version 3.0.7 to mitigate the potential impact of these vulnerabilities.


To address this vulnerability, follow the instruction in the [Microsoft Defender for Cloud](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/new-openssl-v3-vulnerability-pre...) blog post.

Microsoft Defender for Cloud offers various methods to quickly assess vulnerability and prioritize actions. Utilize attack path analysis to identify and prioritize remediation for workloads posing the highest risk to your organization. The cloud security explorer allows you to hunt for all impacted workloads related to the OpenSSL v3 vulnerability, offering additional context for prioritization. Leverage vulnerability assessments for VMs, containers, and container images to prioritize remediation for the most critical workloads.

 

You can use these links for more information:
(1) [New OpenSSL v3 vulnerability: prepare with Microsoft Defender for Cloud](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/new-openssl-v3-vulnerability-pre...)
(2) [CERT-EU - UPDATE: OpenSSL Critical Vulnerability](https://cert.europa.eu/publications/security-advisories/2022-073/)
(3) [OpenSSL: Update zum Schließen der kritischen Sicherheitslücke verfügbar - heise online](https://www.heise.de/news/OpennSSL-Update-zum-Schliessen-der-kritischen-Sicherheitsluecke-verfuegbar...)

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

thank you for the info.... I'm wondering... for example a VM that I run in AZURE and shows the below:

c:\packages\plugins\microsoft.azure.security.monitoring.azuresecuritywindowsagent\1.8.0.76\libcrypto-1_1-x64.dll
c:\packages\plugins\microsoft.azure.security.monitoring.azuresecuritywindowsagent\1.8.0.76\libssl-1_1-x64.dll
c:\packages\plugins\microsoft.guestconfiguration.configurationforwindows\1.29.44.0\dsc\gc\libcrypto-1_1-x64.dll
c:\packages\plugins\microsoft.guestconfiguration.configurationforwindows\1.29.44.0\dsc\gc\libssl-1_1-x64.dll

Will manual upgrading of openssl to newer version help with those references? Or do I somehow update them?

Hi @sumo83,

unfortunately, I’m not sure if manual upgrading of OpenSSL to a newer version will help with the references you mentioned.

You should use this article as an official guide:
New OpenSSL v3 vulnerability: prepare with Microsoft Defender for Cloud - Microsoft Community Hub


Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

The linked blog post (https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/new-openssl-v3-vulnerability-pre...) being suggested to follow for remediation of this issue does not seem to apply anymore. MS has rearranged and renamed so many areas of Azure/Entra/Defender that I can't even find "Attack Paths," rendering this guide useless.

Has anyone found any other solutions to this?

@tophneal I am struggling with the same.  I found several articles - and using the following powershell command (make sure to run powershell as an admin) - I was able to narrow in on where I have OpenSSL on our machines.

 

Get-childItem libssl* -Recurse  -ErrorAction SilentlyContinue | select versioninfo -ExpandProperty versioninfo | sort ProductVersion,Filename | ft -auto

 

The culprits for us are:

Webex

Zoom

PowerBI Desktop

Salesforce ODBC drivers installed by default in Office

OneDrive

And 2 locations within c:\windows\system32\driverstore\filerepository which seem to be linked to the Intel Trusted Connect Service Client

 

I uninstalled Webex, Zoom, and PowerBI Desktop.  I deleted the Salesforce ODBC drivers.  OneDrive appears to updated itself overnight even though I have the same version this morning as I did last night - that is no longer showing up in my list.  I am left with the two locations for the Intel Trusted Connect Service Client and I am still looking for how I can update that.  I found this article - Surface Go update history - Microsoft Support - which seems to indicate the Nov 2022 update took care of updating the Intel Trusted Connect service client.  I don't have a surface go - but I did just go through the steps in the article and it did find an update for the chipset.  I'm going to reboot and see if that did anything - as of now - nothing changed.

 

@tophneal - I see the attack path analysis in Defender for Cloud -> Left panel... in General section... However, it didn't help me with identifying openSSL much.

cool... great info... Will have a look at this... Thanks a lot for sharing this
The chipset update that was discovered via the Surface app still didn't update the Intel Trusted Connect client files. I found this article - https://support.microsoft.com/en-us/surface/download-drivers-and-firmware-for-surface-09bb2e09-2a4b-... - that had where I could download the Surface Laptop 5 updates manually - and according to the Nov. 2023 update history - the Intel connect should have been updated - https://support.microsoft.com/en-us/surface/surface-laptop-5-update-history-9dc3d957-f661-454f-9a59-.... Still showing those files are the old OpenSSL version. Beyond frustrating!

 

@sumo83 
This is messy - and I feel your pain. 
I determined most of my affected versions were in c:\Program Files\.... 
Git was one, some of the ones you listed and some of the ones listed in one of the other references. 
I download the most current version of OpenSSL for Windows using version 3.1.4 and copied out the libcrypto and libssl files into a separate folder. 

15204 2023-Oct-24 13:59:15 openssl-3.1.4.tar.gz (SHA256) (PGP sign) (SHA1)

and then did a basic PowerShell script to locate and replace all of the out of date libcrypto-3 and libssl-3 versions. 

Since MS puts special permissions on the PowerBI desktop directory, it failed to update those. Have to do further work there. I don't have the option to remove some or most of these applications. 
I need to develop a tweak for Zoom with the customized file naming. 
I did not include appdata locations, looks like I need to address those. 

However, as soon as the script ran, 3.1.4 now shows as vulnerable. 
In addition, my script does not account for if the files are in use and skips that directory. I guess I should set this up to run at startup somehow.  

Sam_G_R_0-1700846829392.png
I then found machines with the 32 bit versions as well. 

Also note that OpenSSL 1.x is no longer supported and needs to be replaced. Not sure where to even get started there, other than to keep patching the applications that use OpenSSL as dependencies until they catch up.


This is just one machine - 
c:\program files\dell\dell peripheral manager\libcrypto-1_1-x64.dll
c:\program files\microsoft onedrive\23.226.1031.0003\libcrypto-1_1-x64.dll
%userprofile%\appdata\local\programs\cisco spark\dependencies\libcrypto-1_1-x64.dll
%userprofile%\appdata\local\webex\wbxcache\webexdelta\x64\43.10.1-9\meetings\libcrypto-1_1-x64.dll
%userprofile%\appdata\local\webex\wbxcache\webexdelta\x64\43.10.1-9\meetings\libcrypto-1_1-x64.dll
c:\windows\system32\driverstore\filerepository\iclsclient.inf_amd64_367008a610747d24\lib\libcrypto-1_1-x64.dll


PowerShell script for replacement - 

This needs lots of additional work - I don't spend enough time in PS - 
I had to continue through parsing errors for the Power BI Directory, as well as for files in use issues during the file replacement. 
The last three lines were used to create an easy way to get verification that it ran. 
I then wrapped it with a folder that contained the updated lib-3 files and rolled it out as a Win32 application. Someone that is more practiced with PS could really improve this. 

 

#SourceFiles
$source="$psscriptroot\openssl_dll\libcrypto-3-x64.dll"
$source2="$psscriptroot\openssl_dll\libssl-3-x64.dll"
#Target Folder (files in this folder will be replaced with files from source folder if match found)
$TARGET=gci -recurse -Path "C:\Program Files\" -Filter "libcrypto-3-x64.dll" -ErrorAction SilentlyContinue| where { $_.VersionInfo.ProductVersion -lt '3.1.4'}

foreach ($folder in $TARGET)
{

Copy-Item -Path $source -Destination $folder.FullName -Force | Out-Null

}

$TARGET2=gci -recurse -Path "C:\Program Files\" -Filter "libssl-3-x64.dll" -ErrorAction SilentlyContinue| where { $_.VersionInfo.ProductVersion -lt '3.1.4'}


foreach ($folder in $TARGET2)
{
Copy-Item -Path $source2 -Destination $folder.FullName -Force | Out-Null

#Successful run 
}

if (-not (Test-Path "$($env:ProgramData)\OpenSSL_update3.1.4"))
{
Mkdir "$($env:ProgramData)\OpenSSL_update3.1.4"
}
Set-Content -Path "$($env:ProgramData)\OpenSSL_update3.1.4\openssl.txt" -Value "Script executed!"


Lastly - Microsoft needs to address their out of date usage of dependencies - not only are OpenSSL components out of date, I now have my vulnerability scanner I use for our servers reporting that I have a critical Curl/libcurl flaw on the servers - 
And it turns out to the Microsoft MDATP agent. 

CVSSV3 9.8

/opt/microsoft/mdatp/lib/libcurl.so.4 
version:  : 7.79.1


As it is being used, I don't believe it is an issue. Not sure if I can do a rip and replace of the libcurl.so file and have it work.