Nov 13 2023 04:28 AM
Hi all,
I've been trying to find out how to deal with "openssl" recommendation that I get on almost all end user computers in Defender.
I'm just not sure how to deal with it... It doesn't seem to be a particular app or so.... From what I see when I check the "software inventory" page of the devices, there are many references to different files/dll?? See some few examples below:
How you deal with it? .. is that something that can be pushed via Intune..?
Nov 13 2023 05:25 AM
Hi @sumo83,
thanks for your question.
As per a post on the https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/new-openssl-v3-vulnerability-pre..., the OpenSSL team has identified two high-severity vulnerabilities: CVE-2022-3602 and CVE-2022-3786.
All OpenSSL versions between 3.0.0 and 3.0.6 are affected, and users of OpenSSL 3.x are advised to promptly upgrade to version 3.0.7 to mitigate the potential impact of these vulnerabilities.
To address this vulnerability, follow the instruction in the [Microsoft Defender for Cloud](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/new-openssl-v3-vulnerability-pre...) blog post.
Microsoft Defender for Cloud offers various methods to quickly assess vulnerability and prioritize actions. Utilize attack path analysis to identify and prioritize remediation for workloads posing the highest risk to your organization. The cloud security explorer allows you to hunt for all impacted workloads related to the OpenSSL v3 vulnerability, offering additional context for prioritization. Leverage vulnerability assessments for VMs, containers, and container images to prioritize remediation for the most critical workloads.
You can use these links for more information:
(1) [New OpenSSL v3 vulnerability: prepare with Microsoft Defender for Cloud](https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/new-openssl-v3-vulnerability-pre...)
(2) [CERT-EU - UPDATE: OpenSSL Critical Vulnerability](https://cert.europa.eu/publications/security-advisories/2022-073/)
(3) [OpenSSL: Update zum Schließen der kritischen Sicherheitslücke verfügbar - heise online](https://www.heise.de/news/OpennSSL-Update-zum-Schliessen-der-kritischen-Sicherheitsluecke-verfuegbar...)
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
Nov 13 2023 06:03 AM
Nov 13 2023 06:18 AM
Hi @sumo83,
unfortunately, I’m not sure if manual upgrading of OpenSSL to a newer version will help with the references you mentioned.
You should use this article as an official guide:
New OpenSSL v3 vulnerability: prepare with Microsoft Defender for Cloud - Microsoft Community Hub
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
Nov 16 2023 10:48 AM
Nov 22 2023 07:50 AM
@tophneal I am struggling with the same. I found several articles - and using the following powershell command (make sure to run powershell as an admin) - I was able to narrow in on where I have OpenSSL on our machines.
Get-childItem libssl* -Recurse -ErrorAction SilentlyContinue | select versioninfo -ExpandProperty versioninfo | sort ProductVersion,Filename | ft -auto
The culprits for us are:
Webex
Zoom
PowerBI Desktop
Salesforce ODBC drivers installed by default in Office
OneDrive
And 2 locations within c:\windows\system32\driverstore\filerepository which seem to be linked to the Intel Trusted Connect Service Client
I uninstalled Webex, Zoom, and PowerBI Desktop. I deleted the Salesforce ODBC drivers. OneDrive appears to updated itself overnight even though I have the same version this morning as I did last night - that is no longer showing up in my list. I am left with the two locations for the Intel Trusted Connect Service Client and I am still looking for how I can update that. I found this article - Surface Go update history - Microsoft Support - which seems to indicate the Nov 2022 update took care of updating the Intel Trusted Connect service client. I don't have a surface go - but I did just go through the steps in the article and it did find an update for the chipset. I'm going to reboot and see if that did anything - as of now - nothing changed.
Nov 22 2023 07:56 AM
@tophneal - I see the attack path analysis in Defender for Cloud -> Left panel... in General section... However, it didn't help me with identifying openSSL much.
Nov 22 2023 07:57 AM
Nov 22 2023 08:54 AM
Nov 24 2023 09:53 AM
@sumo83
This is messy - and I feel your pain.
I determined most of my affected versions were in c:\Program Files\....
Git was one, some of the ones you listed and some of the ones listed in one of the other references.
I download the most current version of OpenSSL for Windows using version 3.1.4 and copied out the libcrypto and libssl files into a separate folder.
15204 | 2023-Oct-24 13:59:15 | openssl-3.1.4.tar.gz (SHA256) (PGP sign) (SHA1) |
and then did a basic PowerShell script to locate and replace all of the out of date libcrypto-3 and libssl-3 versions.
Since MS puts special permissions on the PowerBI desktop directory, it failed to update those. Have to do further work there. I don't have the option to remove some or most of these applications.
I need to develop a tweak for Zoom with the customized file naming.
I did not include appdata locations, looks like I need to address those.
However, as soon as the script ran, 3.1.4 now shows as vulnerable.
In addition, my script does not account for if the files are in use and skips that directory. I guess I should set this up to run at startup somehow.
I then found machines with the 32 bit versions as well.
Also note that OpenSSL 1.x is no longer supported and needs to be replaced. Not sure where to even get started there, other than to keep patching the applications that use OpenSSL as dependencies until they catch up.
This is just one machine -
c:\program files\dell\dell peripheral manager\libcrypto-1_1-x64.dll
c:\program files\microsoft onedrive\23.226.1031.0003\libcrypto-1_1-x64.dll
%userprofile%\appdata\local\programs\cisco spark\dependencies\libcrypto-1_1-x64.dll
%userprofile%\appdata\local\webex\wbxcache\webexdelta\x64\43.10.1-9\meetings\libcrypto-1_1-x64.dll
%userprofile%\appdata\local\webex\wbxcache\webexdelta\x64\43.10.1-9\meetings\libcrypto-1_1-x64.dll
c:\windows\system32\driverstore\filerepository\iclsclient.inf_amd64_367008a610747d24\lib\libcrypto-1_1-x64.dll
PowerShell script for replacement -
This needs lots of additional work - I don't spend enough time in PS -
I had to continue through parsing errors for the Power BI Directory, as well as for files in use issues during the file replacement.
The last three lines were used to create an easy way to get verification that it ran.
I then wrapped it with a folder that contained the updated lib-3 files and rolled it out as a Win32 application. Someone that is more practiced with PS could really improve this.
#SourceFiles
$source="$psscriptroot\openssl_dll\libcrypto-3-x64.dll"
$source2="$psscriptroot\openssl_dll\libssl-3-x64.dll"
#Target Folder (files in this folder will be replaced with files from source folder if match found)
$TARGET=gci -recurse -Path "C:\Program Files\" -Filter "libcrypto-3-x64.dll" -ErrorAction SilentlyContinue| where { $_.VersionInfo.ProductVersion -lt '3.1.4'}
foreach ($folder in $TARGET)
{
Copy-Item -Path $source -Destination $folder.FullName -Force | Out-Null
}
$TARGET2=gci -recurse -Path "C:\Program Files\" -Filter "libssl-3-x64.dll" -ErrorAction SilentlyContinue| where { $_.VersionInfo.ProductVersion -lt '3.1.4'}
foreach ($folder in $TARGET2)
{
Copy-Item -Path $source2 -Destination $folder.FullName -Force | Out-Null
#Successful run
}
if (-not (Test-Path "$($env:ProgramData)\OpenSSL_update3.1.4"))
{
Mkdir "$($env:ProgramData)\OpenSSL_update3.1.4"
}
Set-Content -Path "$($env:ProgramData)\OpenSSL_update3.1.4\openssl.txt" -Value "Script executed!"
Lastly - Microsoft needs to address their out of date usage of dependencies - not only are OpenSSL components out of date, I now have my vulnerability scanner I use for our servers reporting that I have a critical Curl/libcurl flaw on the servers -
And it turns out to the Microsoft MDATP agent.
CVSSV3 9.8
/opt/microsoft/mdatp/lib/libcurl.so.4
version: : 7.79.1
As it is being used, I don't believe it is an issue. Not sure if I can do a rip and replace of the libcurl.so file and have it work.