We’ve got OpenSSL 1.1.1d installed on a windows server 64 Bit running Apache 2.4.*. Everything was working fine until recentlly (Jan 2020) when our daily PCI scan failed with the following synopsis: The remote service is affected by Multiple Vulnerabilities. Obviously the natural thing for me to do was to upgrade to the most recent version of OpenSSL and when I checked https://www.openssl.org/ I found that 1.1.1d is the latest version, I still reinstalled it just to be safe. This did not change anything, the Scan still failed.
The Scan report had a long paragraph at the bottom giving more details about the impact, this text caught my attention…
*"OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time".*
Can anyone out there help me understand what I would need to do to stop this failure? I’ve had a look around on the internet and no one is reporting the issue in the same context as me. Please help!
UPDATE TO QUESTION – ADDED THE FULL REFERENCED PARAGRAPH
Impact
The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by the following vulnerabilities : – Normally in OpenSSL EC groups always have a co-factor present and this is used in side channel resistant code paths. However, in some cases, it is possible to construct a group using explicit parameters (instead of using a named curve). In those cases it is possible that such a group does not have the cofactor present. This can occur even where all the parameters match a known named curve. If such a curve is used then OpenSSL falls back to non-side channel resistant code paths which may result in full key recovery during an ECDSA signature operation. In order to be vulnerable an attacker would have to have the ability to time the creation of a large number of signatures where explicit parameters with no co-factor present are in use by an application using libcrypto. For the avoidance of doubt libssl is not vulnerable because explicit parameters are never used. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. (CVE-2019-1547) – OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. OpenSSL version 1.1.1 is affected by this issue. (CVE-2019-1549) – OpenSSL has internal defaults for a directory tree where it can find a configuration file as well as certificates used for verification in TLS. This directory is most commonly referred to as OPENSSLDIR, and is configurable with the –prefix / –openssldir configuration options. For OpenSSL versions 1.1.0 and 1.1.1, the mingw configuration targets assume that resulting programs and libraries are installed in a Unix-like environment and the default prefix for program installation as well as for OPENSSLDIR should be ‘/usr/local’. However, mingw programs are Windows programs, and as such, find themselves looking at sub-directories of ‘C:/usr/local’, which may be world writable, which enables untrusted users to modify OpenSSL’s default configuration, insert CA certificates, modify (or even replace) existing engine modules, etc. For OpenSSL 1.0.2, ‘/usr/local/ssl’ is used as default for OPENSSLDIR on all Unix and Windows targets, including Visual C builds. However, some build instructions for the diverse Windows targets on 1.0.2 encourage you to specify your own –prefix. OpenSSL versions 1.1.1, 1.1.0 and 1.0.2 are affected by this issue. Due to the limited scope of affected deployments this has been assessed as low severity and therefore we are not creating new releases at this time. (CVE-2019-1552) Note that SecurityMetrics has not tested for these issues but has instead relied only on the application’s self-reported version number. See also : http://www.nessus.org/u?c46dca59 https://www.openssl.org/news/secadv/20190910.txt https://www.openssl.org/news/secadv/20190730.txt
2
Answers
I'm now having to answer my own question thanks to the responses by Kapish M and Rodrigo M who gave me crucial information and led me on the right path.
As it turns out, the OpenSSL version installed on a windows server does not supersede version of OpenSSL which is part of the Apache bundle installed as part of XAMPP. The Vulnerability Scanner scans against OpenSSL which is inside Apache (or possibly both but definitely the apache one).
The OpenSSL I had installed on the server version 1.1.1d is completely separate from the one which is part of the XAMPP package (in my case 1.1.1c). The issue I found was that despite having the most up to date version of Apache 2.2.41, the version of OpenSSL shipped with it is not the latest version of OpenSSL and there's no officially documented way of updating just the OpenSSL within the XAMPP package. In fact, the official XAMPP website does say that they do not yet have the 1.1.1d ready for windows, except for Linux (correct at the time of this answer) https://www.apachefriends.org/blog/new_xampp_20191227.html explicitely says OpenSSL 1.1.1d (UNIX only).
Below is what I did to resolve my issue after having had a better understanding thanks to the responses received. I'm still not sure if my approach is safe as this isn't my area of expertise but it definitely got my PCI-Scan to pass.
[VERY IMPORTANT] Create backup copies of the 3 files mention in step 3 in case you need to revert.
Stop the Apache Server
Copy the 3 files from YourDrive:Program FilesOpenSSL-Win64bin to YourDrive:xamppapachebin
(Re)Start the Apache Server
These are the steps I followed and when we run the PCI Scan again, it passed with no Vulnerabilities!
I hope this is useful to someone else out there.
It’s a false positive. You need to file a dispute with the vendor, showing them that version 1.1.1d does not have the vulnerability found in the other versions. All PCI scan vendors have a process to dispute false positives. If they agree with the results of your dispute, they will remove the vulnerability from your report. They should resolve this issue for you quickly. Send them https://www.openssl.org/news/secadv/20190910.txt, and evidence of the actual version that you have.