Re: OpenSSL 3.0.12 vulnerabilities

bitez · ‎10-29-2024

Microsoft Defender shows that OpenSSL version 3.0.12 has known vulnerabilities. These are the two file locations that Defender points to:

c:\windows\system32\driverstore\filerepository\iclsclient.inf_amd64_fc84dfa25a6a7727\lib\libssl-3-x64.dll

and

c:\windows\system32\driverstore\filerepository\iclsclient.inf_amd64_fc84dfa25a6a7727\lib\libcrypto-3-x64.dll

Is there a driver update that needs to be installed, or are there any other recommendations to remove the vulnerabilities?

I followed How Do I Report Security and Vulnerability Issues Related to... and sent an email to secure@intel.com but have not received a response.

Thank you

pressed_for_time · ‎10-29-2024

This is not an Intel issue, it is a Windows issue.

This is Microsoft's statement on this situation

"...the vulnerabilities are due to areas that we don't use in the driver and the message can be ignored. You can set Microsoft Defender to exclude these vulnerabilities. The vulnerability is related to ciphers that we don't use in the driver."

bitez · ‎11-19-2024

We contacted Microsoft directly. They told us that each app had to be updated and to contact whoever makes the app. They opened tickets with each of their internal teams for the Microsoft apps (photos, onedrive, etc.), and they don't expect any of their updates to touch the intel drivers.

Excluding the vulnerabilities excludes the entire security recommendation, not each vulnerable file listed.