Veeam Agent OpenSSL vulnerabilities

[hasoft]

Hello,

after upgrade of our computers, FortiClient reports this issues on OpenSSL inside Veeam Agent.

OpenSSL AES-XTS cipher decryption Denial of Service Vulnerability
C:\Program Files\Common Files\Veeam\OpenSSL3\Win32\openssl.exe
C:\Program Files\Common Files\Veeam\OpenSSL3\x64\openssl.exe

OpenSSL CVE-2023-2975 Authentication Bypass Vulnerability
C:\Program Files\Common Files\Veeam\OpenSSL3\Win32\openssl.exe
C:\Program Files\Common Files\Veeam\OpenSSL3\x64\openssl.exe

OpenSSL CVE-2023-3817 Denial of Service Vulnerability
C:\Program Files\Common Files\Veeam\OpenSSL3\Win32\openssl.exe
C:\Program Files\Common Files\Veeam\OpenSSL3\x64\openssl.exe

etc. 12 total for OpenSSL 3.0.8.

Is there any plan to upgrade OpenSSL inside Agent? Current version 13.0.1.120

[Gostev]

Please note that we're using FIPS-certified versions of OpenSSL only, so it's not a simple "upgrade to the latest OpenSSL version" for us, we need to wait for a later version to get certified first.

[daysoftit]

Hi, is there any update on this please. It looks like OpenSSL 3.1.2 was FIPS-certified back in March?.

[Gostev]

We're using 3.0 not 3.1 so certifications for the latter don't matter. OpenSSL does not have a transparent order of certification for different minor releases, probably because they cannot control it due to external dependencies.

More importantly, I since found that OpenSSL these days contains two parts:
1/ FIPS module: we use version 3.0.8
2/ No-FIPS module which hosts majority of the logic: we use one of its latest versions in V13

Most CVE do NOT impact the FIPS module, you will see notes in them about this such as this below:
"The FIPS provider is not affected as the AES-SIV algorithm is not FIPS approved and FIPS provider does not implement it."

Your security scanner is likely not advanced enough to do CVE-specific analysis and flags the mere presence of OpenSSL 3.0.8 module.

If you want to review a particular CVE, you can contact submit the list of CVEs to our security team and they will comment on each one.

[dreamteam]

OpenSSL is a new dependency for Veeam Agent for Windows v13, what's the package used for? (That wasn't needed before?)

Just curious. Thanks for a great product!

[Gostev]

For encrypted network connections for example.

[willrussell]

More importantly, I since found that OpenSSL these days contains two parts:
1/ FIPS module: we use version 3.0.8
2/ No-FIPS module which hosts majority of the logic: we use one of its latest versions in V13

May I just question this?

My understanding is that number 1 above is the fips.dll, and number 2 above is openssl.exe. We have installed the latest standalone Veeam Agent (Veeam 13.0.2.1102) and the version of both of these files is 3.0.8. This is why it's being flagged as a vulnerability - not because the FIPS module is being misdetected as an OpenSSL release - it's because the version of openssl.exe you are shipping is from 2023.

The supplied version of openssl.exe is definitely still vulnerable if called by a non-Veeam application without FIPS enabled (e.g. through a bad actor). In a highly-controlled environment with technologies such as AppLocker, this requires whitelisting a vulnerable version of openssl.exe. Such environments are also more likely to require FIPS compliance, so this is very relevant.

I think you need to look at this with urgency!

Per https://github.com/openssl/openssl/blob ... ME-FIPS.md, it is supported to compile the latest 3.0.8 fips.dll and use it with a later openssl.exe (e.g. 3.0.19 LTS). Please could Veeam update the openssl.exe in Veeam Agent to be a later patched release? (while still keeping the 3.0.8 fips.dll in place)

[willrussell]

Just wondered if anyone from the Veeam team can comment on the above?

I think there may have been a fundamental misunderstanding about the version of openssl.exe in Veeam Agent. Per Gostev's comment above, he believed the no-FIPS module is one of the latest versions whereas the FIPS module is 3.0.8.

This may be the case for Veeam B&R (I haven't tested) - but it is not the case for Veeam Agent for Windows! This means that VAW is shipping with a very insecure version of openssl.exe.

[willrussell]

Just bumping this. The OpenSSL version installed with the latest Veeam Agent for Windows is still 3.0.8 and can still be exploited without using the FIPS module. Veeam really need to patch the openssl.exe to the latest version - this would still work fine with the 3.0.8 fips.dll that VAW uses!

[willrussell]

See https://github.com/openssl/openssl/blob ... st-release