Processors
Intel® Processors, Tools, and Utilities
15775 Discussions

OpenSSL 3.0.12 vulnerabilities

bitez
Beginner
254 Views

Microsoft Defender shows that OpenSSL version 3.0.12 has known vulnerabilities. These are the two file locations that Defender points to:

 

c:\windows\system32\driverstore\filerepository\iclsclient.inf_amd64_fc84dfa25a6a7727\lib\libssl-3-x64.dll

and

c:\windows\system32\driverstore\filerepository\iclsclient.inf_amd64_fc84dfa25a6a7727\lib\libcrypto-3-x64.dll

 

Is there a driver update that needs to be installed, or are there any other recommendations to remove the vulnerabilities?

 

I followed  How Do I Report Security and Vulnerability Issues Related to... and sent an email to secure@intel.com but have not received a response. 

 

Thank you

0 Kudos
2 Replies
pressed_for_time
Valued Contributor I
236 Views

This is not an Intel issue, it is a Windows issue.

This is Microsoft's statement on this situation

"...the vulnerabilities are due to areas that we don't use in the driver and the message can be ignored. You can set Microsoft Defender to exclude these vulnerabilities. The vulnerability is related to ciphers that we don't use in the driver."

0 Kudos
bitez
Beginner
13 Views

We contacted Microsoft directly. They told us that each app had to be updated and to contact whoever makes the app. They opened tickets with each of their internal teams for the Microsoft apps (photos, onedrive, etc.), and they don't expect any of their updates to touch the intel drivers. 

Excluding the vulnerabilities excludes the entire security recommendation, not each vulnerable file listed.

0 Kudos
Reply