OpenSSL vulnerabilities showing in Defender Dashboard

Jeff Thorne 50 Reputation points
2023-09-22T20:14:57.2433333+00:00

We have multiple devices showing up with OpenSSL vulnerabilities. It is detecting two dll files that it is flagging. Which they are libssl-3-x64.dll and libcrypto-3-x64.dll. It is flagging this for multiple different applications through out multiple devices. Some devices it's not the same application. Is defender showing a false negative of these vulnerabilities. If this are not false negatives then what is the process to update the dll files inside the applications?

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,423 questions
Microsoft Defender for Identity
Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
214 questions
Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps
A Microsoft cloud access security broker that enables customers to control the access and use of software as a service apps in their organization.
151 questions
{count} votes

10 answers

Sort by: Most helpful
  1. Budi (Agustinus Teguh Pambudi) 10 Reputation points
    2024-01-24T08:17:39.45+00:00

    Hi,

    i have same issue on this with component of SSMS c:\program files (x86)\microsoft sql server management studio 19\common7\ide\mashup\odbc drivers\simba spark odbc driver\libcurl32.dlla\openssl32.dlla\libcrypto-3.dll c:\program files (x86)\microsoft sql server management studio 19\common7\ide\mashup\odbc drivers\simba spark odbc driver\libcurl32.dlla\openssl32.dlla\libssl-3.dll c:\program files (x86)\microsoft sql server management studio 19\common7\ide\mashup\odbc drivers\simba spark odbc driver\openssl32.dlla\libcrypto-3.dll c:\program files (x86)\microsoft sql server management studio 19\common7\ide\mashup\odbc drivers\simba spark odbc driver\openssl32.dlla\libssl-3.dll software version detected is 3.0.8 by defender for cloud and defender endpoint in Azure. i haven't found any way to update it for SSMS.
    Please share if you have any advise.

    2 people found this answer helpful.
    0 comments No comments

  2. Givary-MSFT 33,706 Reputation points Microsoft Employee
    2023-09-25T08:17:42.1366667+00:00

    @Jeff Thorne Thank you for reaching out to us, As I understand you have queries on the OpenSSL vulnerabilities showing in Defender Dashboard.

    Researched on your issue and found few changes happened from 3.0.9 to 3.0.10 and notes for the same can be found here - https://www.openssl.org/news/openssl-3.0-notes.html

    Could you help me which defender dashboard has discovered these vulnerabilities on your devices, if any screenshot which you can share (if it contains sensitive information, feel free to send me an email to 'AzCommunity@microsoft.com' with Sub - Attn: Givary so that I can review it further).

    However similar issue was discussed in the past - https://msrc.microsoft.com/blog/2022/11/microsoft-guidance-related-to-openssl-risk-cve-2022-3786-and-cve-2202-3602/ where the mitigation was to update the OS/respective software having this DLL.

    Also would recommend to check if you have any security updates pending for these devices, if yes install them and check if defender still reports.

    Reference:

    https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/new-openssl-v3-vulnerability-prepare-with-microsoft-defender-for/ba-p/3666487

    https://techcommunity.microsoft.com/t5/microsoft-defender-vulnerability/reduce-openssl-3-0-vulnerabilities-risks-with-microsoft-defender/ba-p/3668567

    Whether these alerts are false positive or not, I can tell after receiving the screenshot from the defender dashboard, so that I can discuss it with my team internally on the same.

    Let me know if you have any further questions, feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.

  3. Julio Soza 5 Reputation points
    2024-04-18T14:51:14.6833333+00:00

    Hi Everyone,

    As per my testing and research, I think this will be an ongoing vulnerability recommendation.

    For example, Zoom addressed the vulnerability with OpenSSL 3.1.4 back in Jan 2024, screen capture below https://support.zoom.com/hc/en/article?id=zm_kb&sysparm_article=KB0068823User's image

    But, Microsoft reported the CVE-2024-2511 which says that multiple versions of OpenSSL still are impacted:

    User's image

    After some testing, I uninstalled Zoom and found that the vulnerability was gone, but Defender detected it again as Zoom as I reinstalled the latest version.

    I did find the OpenSSL Recommendation helpful because there were apps and left over files that users in my organization where not using and were increasing the impact of this vulnerability, removing those specifics apps and files make the list shorter.

    Hope my findings help you all.

    1 person found this answer helpful.
    0 comments No comments

  4. Gary I 5 Reputation points
    2024-09-06T02:17:46.5566667+00:00

    I have been researching this again today (having had this issue for months) and found the following: OpenSSL are aware of the issues that are raised in CVE-2024-2511 but consider it low severity and won't be addressing it anytime soon:

    This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS
    clients.
    
    The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL
    1.0.2 is also not affected by this issue.
    
    OpenSSL 3.2, 3.1, 3.0, 1.1.1 are vulnerable to this issue.
    
    OpenSSL 3.2 users should upgrade to OpenSSL 3.2.2 once it is released.
    
    OpenSSL 3.1 users should upgrade to OpenSSL 3.1.6 once it is released.
    
    OpenSSL 3.0 users should upgrade to OpenSSL 3.0.14 once it is released.
    
    OpenSSL 1.1.1 users should upgrade to OpenSSL 1.1.1y once it is released
    (premium support customers only).
    
    Due to the low severity of this issue we are not issuing new releases of
    OpenSSL at this time. The fix will be included in the next releases when they
    become available. The fix is also available in commit e9d7083e (for 3.2),
    commit 7e4d731b (for 3.1) and commit b52867a9 (for 3.0) in the OpenSSL git
    repository. It is available to premium support customers in commit
    5f8d2577 (for 1.1.1).
    
    

    Source: https://openssl-library.org/news/secadv/20240408.txt

    This was dated 8 April 2024.

    It doesn't matter what Zoom or PowerBI or anyone do, CVE-2024-2511 will be around until OpenSSL address the weaknesses in those specific libraries.

    If you have Zoom, update to version 6.1.0 or above to address OpenSSL flaws except CVE-2024-2511 and CVE-2024-4603, which doesn't affect clients:

    User's image

    Source: https://devforum.zoom.us/t/zoom-5-6-10-vulnerabilities-with-openssl-dll-need-version-3-1-5/98806/78?page=4

    1 person found this answer helpful.
    0 comments No comments

  5. Dinesh Admin 20 Reputation points
    2023-12-01T06:11:15.68+00:00

    @Givary-MSFT i have the same problem on our defender portal and can't be updated openssl in window apps please find below the screenshot

    i think this is wrong recommendation
    User's image


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.