topic Re: OpenSSL vulnerability in icls driver version 1.71.99.0 in Mobile and Desktop Processors

OpenSSL vulnerability in icls driver version 1.71.99.0

MaximvL — Mon, 13 May 2024 05:53:04 GMT

According to Microsoft Defender, the icls driver installed on 80% of our devices uses OpenSSL version 3.0.12. This version has known vulnerabilities.

The driverversion is 1.71.99.0 which is the latest from Windows Update and also the lastest I can find on the Intel-site (https://www.intel.com/content/www/us/en/download/682431/intel-management-engine-drivers-for-windows-10-and-windows-11.html?wapkw=intel%20r%20icss%20client).

Is there a newer version which I missed? If not, when can we expect an updated driverpackage?

Re:OpenSSL vulnerability in icls driver version 1.71.99.0

ACarmona_Intel — Wed, 22 May 2024 11:21:34 GMT

Hello MaximvL,

Thank you for posting in our communities.

I will raise the case with our engineers so they can provide us with the correct information.

I'll post the response to this thread here once it is available.

Thank you for your patience and understanding!

Best regards,

Carmona A.

Intel Customer Support Technician

Re:OpenSSL vulnerability in icls driver version 1.71.99.0

ACarmona_Intel — Wed, 29 May 2024 07:40:39 GMT

Hello MaximvL,

Thank you so much for patiently waiting on our response.

In order to delve deeper into this issue, we would like to ask about the specific make and model of your system, as well as your processor model.

Additionally, if you wish to report any security vulnerabilities related to Intel® products, we encourage you to check out our article titled 'How Do I Report Security and Vulnerability Issues Related to Intel® Products?' for detailed guidance.

We look forward to your response!

Best regards,

Carmona A.

Intel Customer Support Technician

Re:OpenSSL vulnerability in icls driver version 1.71.99.0

ACarmona_Intel — Mon, 03 Jun 2024 10:26:34 GMT

Hello MaximvL,

We are checking in with you to see if you already have the answers to our questions so we can further isolate our issue.

Thank you, and have a great day!

Best regards,

Carmona A.

Intel Customer Support Technician

Re: OpenSSL vulnerability in icls driver version 1.71.99.0

MaximvL — Mon, 03 Jun 2024 11:49:24 GMT

Carmona,

We have dozens of models with this issue. p.e. Dell Latitude 5540 13th Gen Intel(R) Core(TM) i5-1335U

I will send a mail as detailed in the link you send.

Re:OpenSSL vulnerability in icls driver version 1.71.99.0

ACarmona_Intel — Tue, 04 Jun 2024 01:48:33 GMT

Hello MaximvL,

Thank you so much for providing us with the details that we have requested. It is highly noted.

Yes, please do send an email using the link that we have provided so the right team can provide you with appropriate assistance regarding the security and vulnerability related to our Intel products.

By the way, I will now raise the case again with our engineers so they can thoroughly investigate the issue and provide us with a recommendation.

I will get back to you as soon as I have our engineers response.

Again, thank you so much for your patience.

Best regards,

Carmona A.

Intel Customer Support Technician

Re: OpenSSL vulnerability in icls driver version 1.71.99.0

Account2241 — Wed, 05 Jun 2024 18:57:27 GMT

Same issue here with several hundred Microsoft Surface Laptop and Surface Pro devices.

Specifically, the vulnerability is with the below files under folder c:\windows\system32\driverstore\filerepository\ that are part of the Intel ICLS driver packages installed on these devices:

libssl-1_1-x64.dll

libcrypto-1_1-x64.dll

libssl-3-x64.dll

libcrypto-3-x64.dll

Many devices have two versions of the Intel ICLS drivers within c:\windows\system32\driverstore\filerepository\ - one version with OpenSSL 1.1.1.0 DLLs and another with version OpenSSL 3.0.11.0 DLLs.

Installing the current Intel ME driver package using the installer linked in original post does not uninstall the old versions. There is also no entry in Add/Remove Programs to uninstall the older versions of ICLS.

What is the recommended method for removing old versions of Intel ICLS drivers from multiple devices?

Re:OpenSSL vulnerability in icls driver version 1.71.99.0

ACarmona_Intel — Thu, 06 Jun 2024 08:57:43 GMT

Hello MaximvL,

Thank you for patiently waiting on our response.

Please continue to contact the Intel Product Security Incident Response Team for your concern; they will provide you with the appropriate recommendation that you need.

You may use this thread as a reference once you have contacted them.

MaximvL Community thread

By the way, we will now be closing this case. For additional information, please submit a new question, as this thread will no longer be monitored.

Best regards,

Carmona A.

Intel Customer Support Technician

Re: OpenSSL vulnerability in icls driver version 1.71.99.0

RobynAnn — Thu, 27 Jun 2024 21:40:48 GMT

Is there any follow up on this? As the OP reported, the current versions of the ICLS client uses OpenSSL 3.0.12.0 and like OpenSSL 3.0.11.0, that is also vulnerable.

How soon will you have your OpenSSL drivers updated to an available-for-download version that is not vulnerable?

Re: OpenSSL vulnerability in icls driver version 1.71.99.0

DeepakSingh — Mon, 22 Jul 2024 06:28:02 GMT

I'm also facing this issue due to ICLS client in the drivers folder path, where ICLS client uses OpenSSL 3.0.12.0, which is vulnerable.

Can you please share an ETA, or steps how we can update it, as it not getting updated with the windows updates for drivers.

Re: Re:OpenSSL vulnerability in icls driver version 1.71.99.0

KerrAvon — Tue, 23 Jul 2024 07:19:09 GMT

Having the same issue with the Intel Management Engine on Dell PCs

Ran the Dell command update which did update some of the component files with new versions however the libssl/libcrypto libraries are still showing as 3.0.11.0

This is causing an adverse vulnerability score in Microsoft Defender which indicates that upgrading to 3.3.0.0 is required.

My client is very security focussed & we have to submit a monthly report. Questions are being asked why a global organization like Intel are packaging versions that have been superseded multiple times.

A prompt resolution to this issue is requested

Re: OpenSSL vulnerability in icls driver version 1.71.99.0

TItus2 — Fri, 26 Jul 2024 07:38:03 GMT

We have the same problem. Is ther a solution for ?

Re: OpenSSL vulnerability in icls driver version 1.71.99.0

pdc99 — Thu, 01 Aug 2024 04:09:06 GMT

Have the same problem with various Dell desktop and laptop devices.

Ending up Defender flagging it.

Interesting wrinkle we have is that one 'instance' of ICLS' shows up in C:\Windows\system32\driverstore\filerepository\iclsclient.*

and another instance shows up on the same machine in c:\Windows\Temp\ii*.tmp\icls_dch\*

It will be the same version of OpenSSL in the two locations.

Nothing shows up in the Windows Installed Apps list for ICLS.

Looking at the Dell site, it kind of reads that the Dell Management Engine Components Installer kit contains the ICLS client software. This evening, that kit is listed as a critical install and does show up on our devices as being installed as version 2345.5.42.0.

https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=7fhff&oscode=w2021&productcode=optiplex-3070-sff

If you go through the Dell Security Update message to see all the CVE's that the above kit takes care of, none of them match the 6 CVE's that Defender lists out.

https://www.dell.com/support/kbdoc/en-us/000217983/dsa-2023-364-security-update-for-dell-client-bios-for-intel-platform-update-2024-1-advisories

Sure seems like there are serious disconnects between CVE numbers, what files are where, what larger update kits have other embedded kits within them and if so what versions of the smaller kits are included.

All to get to the point of knowing what kit the bundles up the right subkits all to get off the complaint list of Defender.

I'm starting to think this is a never ending, very ugly task with a lot of disappointments along the way.

I'll go back to my bleacher seat now.

pdc

Re: OpenSSL vulnerability in icls driver version 1.71.99.0

MaximvL — Thu, 01 Aug 2024 07:19:01 GMT

I got a respons from Intel:

Thank you for your patience during our investigation, Intel recommends you upgrade your affected systems to ICLS Client Driver version 1.72.189.0 that mitigates these CVEs.

In future if you have a vulnerability scanner reporting a known third-party, open-source CVE in an Intel driver or other component. Keep in mind that Intel routinely scans for 3rd party vulnerabilities and updates these components. Please check the Intel Download Center for the latest version.

And indeed the 1.72.189.0 version has the new OpenSSL version

The CAB-file can be downloaded at Microsoft: https://www.catalog.update.microsoft.com/Search.aspx?q=intel%20icls%20windows%2011%20%201.72.189.0

It would be Nice if Microsoft and/or the manufacturer of our laptops would make this update available through the regular updates.

Re: OpenSSL vulnerability in icls driver version 1.71.99.0

pdc99 — Thu, 01 Aug 2024 21:49:52 GMT

MaximvL..

I recommend that you don't get your hopes up with that CAB file.

It contains OpenSSL 3.0.13 files, which also get flagged by Defender as a security problem.

I poked around on one of the desktop devices we have and then did a bunch of reading and more poking around.

My test device has 2 icls* folders at c:\Windows\system32\driverstore\filerepository\*

One has OpenSSL 3.0.12 the other 3.0.13

Ran the Intel CSME Version Detection Tool which said the device was okay with Version 10.0, which is the latest CSME version available.

https://www.intel.com/content/www/us/en/download/19392/intel-converged-security-and-management-engine-version-detection-tool-intel-csmevdt.html

CSME Version 10 was released on 4/8/24 based on above web page.

OpenSSL 3.0.12 was released on: 10/24/24

OpenSSL 3.0.13 was released on: 1/30/24

Since OpenSSL V3.0.13 was released there has been 13 updates, excluding alpha/beta releases, to OpenSSL with the latest being 3.3.1 on 6/4/24.

Reading through the following article, it looks like the previous security update for Intel CSME and AMT was 8/11/22.

https://www.intel.com/content/www/us/en/support/articles/000031784/technologies.html

I could very well be missing information, but it doesn’t look like CSME gets updated often. And there are questions remaining about any new CSME version doing uninstallations of previous versions of ‘sub-kits’ like OpenSSL to clean up a device.

Heavy Sigh…

Re: OpenSSL vulnerability in icls driver version 1.71.99.0

pdc99 — Thu, 01 Aug 2024 22:01:26 GMT

MaximvL

I forgot to mention in my earlier posts that I have been chatting with the Intel SIRT as well.

Their 1st reply was along the lines of what you posted which made little sense to me, so I replied back with:

I have read through your response several times and admit that I do not understand what is being said here.

Regarding the 1st paragraph, I go to the Intel download center and search for "ICLS Client Driver" and get 30 matches spread over 3 pages. On those pages, there are no entries saying 'ICLS Client Driver'. I then look for a version number of 1.72.189.0 among those 30 entries and none of them has that version number.

https://www.intel.com/content/www/us/en/search.html?ws=idsa-default#q=ICLS%20Client%20driver&first=20&sort=relevancy&f:@tabfilter=[Downloads]

I searched for that specific version number, 1.72.189.0, and find no matches.

https://www.intel.com/content/www/us/en/search.html?ws=idsa-default#q=%221.72.189.0%22&sort=relevancy&f:@tabfilter=[Downloads]

What part of a magic decoder ring am I missing to understand what you said and how to find what I am searching for in the future?

------------------

Today, Intel SIRT sent the following reply.

ICLS Client Driver is not a standalone product and hence you were not able to find it on the Intel download center, its part of Intel Converged Security and Management Engine (Intel CSME). By updating to the latest version of CSME the ICLS client driver will be automatically updated to the version listed below.

------------------

Which lead me to do more poking around with that result being what I posted a few minutes ago.

Re: OpenSSL vulnerability in icls driver version 1.71.99.0

KerrAvon — Thu, 01 Aug 2024 23:36:17 GMT

If you need the full set of Windows drivers for both Windows 10 as well as 11 the MS catalog link is:

https://www.catalog.update.microsoft.com/Search.aspx?q=Intel+-+SoftwareComponent+-+1+72

Re: OpenSSL vulnerability in icls driver version 1.71.99.0

MaximvL — Mon, 19 Aug 2024 10:10:36 GMT

PDC,

Last friday I got the following reply from Dell:

---------------------------------------------

There will be a Dell certified version released as follows:

Intel ME FW - Ver. 16.1.32.2418 v0.2

Intel ME Driver - Ver. 2413.5.68.0 / with iCLS v1.72.189.0

Target release date – 2024/10/8.
---------------------------------------------

So , I guess this will be october 8th and not august 10th as the sentence is in future tense and the Dell Driver downloads still show 2413.5.67.0.
Now, Windows also retains the second to last driver in the driver store so this update will patch the active drivers but Defender will keep flagging the older inactive driver.

As you stated, the driver files in Windows Temp are also flagged. I cleared these files using a script.

You won't find the software in Apps but you can find the active driver used in device managment --> Software Components --> Intel(R) iCLS Client

Re: OpenSSL vulnerability in icls driver version 1.71.99.0

Jeff-Wampler — Mon, 14 Oct 2024 15:38:28 GMT

Has anyone been able to resolve this issue in Microsoft Defender? We are having the same issue with a client that requires CVE's to be resolved within 14 days. It's been many months!! I had a ticket open with Microsoft and they are telling me I need to contact Intel.

Re: OpenSSL vulnerability in icls driver version 1.71.99.0

AndAuf — Thu, 06 Feb 2025 12:35:28 GMT

8 months and still no reply from Intel.

HELLO?!?!