Intel Driver & Support Assistant vulnerability

Pierre_Decrocq · ‎11-04-2022

Hello,

My internal security department reports that IDSA is incorporating a vulnerable version of OpenSSL libraries (v3.0.2).

The vulnerability is fixed starting OpenSSL v 3.0.7 .

Could you fix this and release quickly an update to close this vulnerabilty ?
Thanks a lot,

-Pierre

AndrewG_Intel · ‎11-07-2022

Hello @Pierre_Decrocq

Thank you for posting on the Intel® communities.

In order to review this further, could you please provide us with the following details?

1- Please attach the DSA folders following the steps in this article: How to Obtain the Intel® Driver & Support Assistant (Intel® DSA) Folders?

2- More details and if possible a screenshot of where/how the vulnerability is detected/reported:

Best regards,

Andrew G.

Intel Customer Support Technician

Pierre_Decrocq · ‎11-07-2022

Please find atached the requested contents (one folder is missing because it is empty).

About the vulnerability, please find information here => https://www.malwaretech.com/2022/11/everything-you-need-to-know-about-the-openssl-3-0-7-patch.html

Thanks !

-Pierre

Pierre_Decrocq · ‎11-09-2022

I'm surprised that 2 days after report, Intel doesn't take action quicker to fix a security vulneratibility within DSA and release a new version.

Instead, I'm asked whether the reply above satisfies me... !

Please fix this issue by releasing a DSA update containing at least OpenSSL 3.0.7 libraries level.

Thanks

AndrewG_Intel · ‎11-09-2022

Hello Pierre_Decrocq

Thank you for providing us with the DSA folders and the information link. We will proceed to review this and once more information is available, we'll post back in the thread.

Best regards,

Andrew G.

Intel Customer Support Technician

AndrewG_Intel · ‎11-16-2022

Hello Pierre_Decrocq

Our developers confirmed that Intel® DSA does not use OpenSSL at all. Therefore, we would like to know if you may provide us with more details on what your internal security department found. Screenshots are also helpful.

Also, could you please check if you have the Intel® Computing Improvement Program installed? If so, please uninstall it and review if the behavior persists.

Please refer to this article Intel® Computing Improvement Program under the section "Leaving the Program > How do I uninstall the Intel® Computing Improvement Program?"

Best regards,

Andrew G.

Intel Customer Support Technician

chris-jnctn · ‎11-16-2022

Hi @AndrewG_Intel check out this other post in this forum. You well see that OpenSSL is being flagged as part of an Intel Install: OpenSSL vulnerability - CVE-2022-3602/CVE-2022-3786 - Intel Communities

You may want to point your developers at that information.

Rgds

Chris

AndrewG_Intel · ‎11-17-2022

Hello Pierre_Decrocq

Thank you for your response.

We have checked the other thread you pointed out, and based on the information there, the issue seemed to be related to the Intel® Computing Improvement Program (Intel® CIP). Actually, one of the users there has confirmed that after removing Intel® CIP (following the given instructions) "the vulnerability was not found any more".

We are thinking that the issue you are reporting might also be due to the Intel® CIP (and not due to Intel® DSA, which doesn't use OpenSSL). That's the reason why we wanted to know if you have the Intel® Computing Improvement Program installed and if uninstalling it would stop the vulnerability alert.

We would really appreciate it if you could confirm if you have Intel® CIP installed. If so, please try to remove it to see if the behavior is different or not. We are just trying to properly identify the specific root cause of the issue and make sure whether you see this vulnerability due to Intel® CIP or Intel® DSA.

If you confirm the issue is not related to Intel® CIP (e.g.: after removing Intel® CIP there is no change

or if the program was never present on the system), please provide us with more details on what your internal security department found so we can investigate this further (and thus, we can discard that your issue is due to the same root cause as the one reported on the other thread).

Best regards,

Andrew G.

Intel Customer Support Technician

Pierre_Decrocq · ‎11-17-2022

Hello, sorry for delay and thank you for answer.
I was in trip today and I will check and report tomorrow morning first thing.

Pierre_Decrocq · ‎11-18-2022

Hello,

As promised I have checked and indeed I had Intel Computing Imrpvoement Program).

I removed it and the SSL library has disappeared. Thanks !

However, I think you need to inform your colleagues in charge of Intel CIP, that they are disctributing an outdated libssl library and update it to at least v3.0.7. I trust you that you'll do it.

Thanks !

AndrewG_Intel · ‎11-18-2022

Hello Pierre_Decrocq

Thank you very much for your response and for letting us know that the SSL library has disappeared after uninstalling the Intel® Computing Improvement Program.

Rest assured that we will share these details with the relevant department so they can have the proper information about this matter.

Sincerely,

Andrew G.

Intel Customer Support Technician

AndrewG_Intel · ‎11-22-2022

Hello Pierre_Decrocq

We would like to inform you that the information regarding this behavior has been routed to the appropriate team. Unfortunately, the team will not be able to provide updates to you regarding the status of the request.

We really appreciate your efforts and feedback in this matter.

Having said that, we will proceed to close this thread now. If you need any additional information, please submit a new question as this thread will no longer be monitored.

It has been a pleasure to assist you.

Best regards,

Andrew G.

Intel Customer Support Technician