We have been conducting vulnerability scans using Qualys and it is highlighting that we have a vulnerable version of OpenSSL installed on our IBM Endpoint Manager Servers, however I have checked checked all the Common Vulnerabilities and Exposures (CVE) numbers highlighted by Qualys and all of which relate to previously vulnerable versions of IBM Endpoint Manager none of which we are on.
Is there a way we can find out which version of OpenSSL IBM Endpoint Manager is using? I have looked in a number of places like the registry and in the tool itself, but had no luck.
DISCLAIMER: I’m not a developer. Just an enthusiastic user.
Currently the only time I see openSSL when related to IEM from an administration perspective is when using client encryption. All clients have openSSL installed using the task “Enable Encryption for Clients”. Since there is no way to check the version of it by a simple read, the way you would normally check the version is run the “version” command on the “openSSL.exe” located here:
You would need SYSTEM access to do so since when it’s installed, SYSTEM is the only user given access to it. That being the case, you could use a task to output the version to a text file and have an analysis read it. The task would look something like this.
delete __appendfile
appendfile "{pathname of parent folder of parent folder of client folder of current site}\openSSL\bin\openssl.exe version" >> C:\Temp\opensslversion.txt
run __appendfile
And the analysis something like this:
line of file "C:\Temp\opensslversion.txt"
Again, I could be on the wrong track but that’s the only place I’ve ever seen openSSL used. You may not use that or you may not have encrypted your clients so in that case, this reply may not be much help.
Thanks for your response. I should clarify that the servers where this vulnerability is showing is 2 of our Relay servers.We have not yet deployed encryption for clients.
Just in case you were onto the right tracks i have checked C:\Program Files (x86)\BigFix Enterprise\BES Relay for any sign of OpenSSL, But can’t see anything.
Any other theories would be appreciated, but i suspect this is going to be one of those things that cannot be easily found if at all.
All components (client, relay, console, server, etc) use OpenSSL. Since 9.2 I think, and maybe earlier, one of the first log messages should be the OpenSSL version. I think it might also be in the release notes as well, but I’m not sure on that.
I’m not in the office right now so I’m not sure if there’s a better way to check, but the first way I’d try is to just search the client, relay, or server log file for OpenSSL.
Since it seemed there was some confusion on whether we use OpenSSL at all, we use it for encryption, digital signature verification, and for HTTPS.
I managed to find the openssl version used in the log file as suggested by greenb and it shows we are not on a vulnerable version. We are still on version 9.0 so wasn’t able to use dhwang’s version guide, However it will be useful when we come to upgrade in the near future.
On windows as a retrieved property, try this:
(name of it, value “ProductVersion” of version block 1 of it) of find files “libBES*.dll” of parent folder of client
On a machine running version 9.0.649.0 of the agent, this returns:
libBEScrypto_1_0_0_1.dll, 0.9.8f-dev
libBEScrypto_1_0_0_5.dll, 0.9.8y
There are two libraries, one used for fips mode, the other for non-fips mode. The higher version number in the file name indicates the non-fips version.
The only problem with the ProductVersion lookup is it shows our BigFix internal version numbers. We have plans of exposing the OpenSSL version number string (like the logs show when the client starts etc) in relevance at some point too.