This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .
New OpenSSL v3 vulnerability: prepare with Microsoft Defender for Cloud
(This post will be edited and expanded as more information about this vulnerability is released. Check back after November 1st for more details)
Last week, the OpenSSL Project team announced a new critical vulnerability. While they have yet to reveal details on the vulnerability, we know that the affected versions are 3.0.0-3.0.6. An upcoming fix is expected to be included in OpenSSL v3.0.7 due to be released on November 1, between 13:00-17:00 UTC.
As this is a critical vulnerability, it is likely to affect common configurations and be exploitable:
"Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server private keys or where remote code execution is considered likely in common situations. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to address these as soon as possible"- Note from OpenSSL
What is the impact and is your organization exposed to risk?
Microsoft Defender for Cloud telemetry shows that OpenSSL v3 (containing the vulnerability) is significantly less prevalent than earlier OpenSSL versions, which are not impacted by this vulnerability. The exploit details of the vulnerability are yet to be shared and the fix is still not available. The most important task right now for security teams is to identify workloads with potentially vulnerable versions of OpenSSL and prepare for expedited patching when the fixed version (3.0.7) is released. It’s important to note that a vulnerable version may be packaged within another application – which, itself will also need to be updated.
Microsoft Defender for Cloud has two available features to quickly determine whether your environment is vulnerable and to help prioritize your actions:
- Find vulnerable machines with Defender for Cloud’s inventory tools: Part of the asset inventory, this tool provides a quick way to find any machines or containers with the affected versions (3.0.0-3.0.6)
- Find and prioritize which workloads to update first with the cloud security explorer: This new feature - released as part of Defender Cloud Security Posture Management (CSPM) and now available for free in public preview - goes further. Whereas the inventory tool gives you a list of potentially impacted machines, the security explorer adds context so you can prioritize which machines represent greater risks.
Find vulnerable machines with Defender for Cloud’s inventory tools
Without an official CVE, vulnerability assessment solutions are not able to detect this issue. Instead, you can identify potentially vulnerable assets by noting which resources contain the relevant packages. If you’re using one of Defender for Cloud’s integrated vulnerability assessment solutions (Microsoft Defender Vulnerability Management, Qualys, etc.) check this blog post again in coming days for additional instructions.
Until then, you can leverage the data from Defender for Cloud’s software inventory. This tool can show you assets with OpenSSL 3.x packages. With the new agentless scanning capabilities that were released at Ignite 2022, you no longer need to deploy agents to get a software inventory on VMs. Learn more about how to enable MDC’s agentless scanning.
Both agent-based and agentless software inventory are available from the Inventory page.
- Sign into the Azure portal.
- Navigate to Microsoft Defender for Cloud > Inventory
- Use the built-in filters to find your at-risk machines:
- Use the Installed applications filter to search for “contains openssl” or specific packages
- Use the Installed applications versions filter to find the affected versions (3.0.0-3.0.6)
Figure 1: Inventory of machines with OpenSSL packages
Prioritize which workloads to update first with the cloud security explorer
The new Defender CSPM plan provides context for your machines based on multiple data layers including internet exposure, permissions, and connections between identified entities.
Understanding the exploitability and business impact of resources is critical for identifying the most urgent tasks and risky assets that need to be patched first.
To build a query:
- Sign into the Azure portal.
- Ensure you’ve enabled Defender CSPM.
- Navigate to Microsoft Defender for Cloud > Cloud Security Explorer (preview).
- Search for
- Virtual machines > (Has) Insight > (Where) Title (equals) Installed software
- and Name is “openssl”
- and Version (starts with) “3.0”
As shown here:
Figure 2: Cloud security explorer query for VMs containing OpenSSL 3.x packages
Knowing which machines contain vulnerable software is only the first step. It’s important to also consider contextual information to prioritize the workloads with the highest risk. Defender for Cloud provides internet exposure insights in the intelligent cloud security graph. This powerful, built-in engine identifies potential entry points and machines with the highest potential exploitability. Also, when making decisions about which machines to patch or isolate, a significant consideration is the business context of the affected machine. That context can be understood by analyzing its connections with your critical assets. For example, you might prioritize patching a machine that’s connected to databases with sensitive data, or which has permissions allowing connections to many resources.
All of these details are available as part of the cloud security graph in the Defender CSPM plan.
Learn more about cloud security explorer and other Defender CSPM capabilities.
Until the fixed version is released by OpenSSL, the most important preparations you can do are to:
- Identify your potential risks as described above.
- Identify and notify the relevant resource and application owners.
- Define the upgrade, update, or isolate procedures for these resources.
If you’re already a Microsoft Defender for Cloud customer, prepare for the November 1st release of OpenSSL v3.0.7 as described above.
If you aren’t yet a Microsoft Defender for Cloud customer, we encourage you to enable it and onboard your Azure, AWS, and GCP environments. The cloud security explorer and all other Defender CSPM features are available for free while the Defender CSPM plan is in public preview.
We are continuing to work with multiple Microsoft security teams and with our partners outside Microsoft to ensure that our vulnerability assessment solutions will be ready as close as possible to the official release of the CVE. We will also be releasing more dedicated experiences around this incident. Stay tuned and expect updates as this story unfolds.