OpenSSL 3.0.0 - 3.0.6 Detection - YARA Scan

OpenSSL 3.0.0 - 3.0.6 Detection - YARA Scan - Windows x64 YARA Scan for Windows - OpenSSL_3_lower_307

Two HIGH-severity vulnerabilities have been announced by the OpenSSL project on 2022-11-01, referenced at https://www.openssl.org/news/vulnerabilities.html, affecting OpenSSL 3.0.0 through 3.0.6

These include

This Task attempts to identify products that utilize the affected OpenSSL versions by scanning executables and executable library files on the system, probing for strings known to reside within programs built to use OpenSSL 3.

This Task will

Download a copy of YARA 4.2.3 (https://github.com/VirusTotal/yara) and store it under the BES Client\yara directory
Install Visual C++ Runtime 14.32.31332.0 if necessary (a prerequisite for YARA)
Perform a scan of all local drives or the specified directory to identify binaries with OpenSSL 3.0.0 - 3.0.6
Create an output report at BES Client\yara\results. The results can be parsed by the related Analysis to identify potentially-vulnerable programs.

Important Considerations:

The YARA scan has limited throttling options. Take care when scanning. High disk utilization is expected and the scan may take considerable time to complete.
Avoid scanning shared resources such as VM infrastructure or shared SAN storage from multiple clients simultaneously, and stagger action-start-times to avoid overutilizing disk resources.
This task has no Default Action, as care should be taken when scheduling filesystem scans.

YARA signature name:
YARA signature content:	import "pe" import "elf" rule OpenSSL_3_lower_307: executable_embedded_strings { strings: $re1 = /OpenSSL 3\.0\.[0-6]/ condition: (pe.is_pe or elf.type == elf.ET_EXEC or elf.type == elf.ET_DYN) and any of them }
Scan target:
All Local Drives Specific Path:

]]> windows of operating system and (if exists property "in proxy agent context" then not in proxy agent context else true) x64 of operating system Vulnerability Scan HCL BigFix Services 2022-11-01 x-fixlet-yara-scan-identifier OpenSSL_3_lower_307 x-fixlet-first-propagation Tue, 01 Nov 2022 18:15:55 +0000 x-fixlet-modification-time Wed, 02 Nov 2022 14:23:42 +0000 BESC Click here to deploy this action. = version "4.2.3") of it) of parent folder of parent folder of client folder of site "actionsite"} add prefetch item name=yara.zip size=2091495 sha1=9d457f44fe83955472d483268df8bdc89a7fdef6 url=https://github.com/VirusTotal/yara/releases/download/v4.2.3/yara-4.2.3-2029-win64.zip sha256=a71a7070bc6dd392e0c066a590d2262382b0c3d73e76cc0851dc33ab5d51d381 add prefetch item name=unzip.exe sha1=84debf12767785cd9b43811022407de7413beb6f size=204800 url=http://software.bigfix.com/download/redist/unzip-6.0.exe sha256=2122557d350fd1c59fb0ef32125330bde673e9331eb9371b454c2ad2d82091ac endif // Collect Visual C++ Runtime if missing our outdated if {not exists (it as string as version) whose(it >= "14.32.31332.0") of values "DisplayVersion" of keys whose(value "DisplayName" of it as string starts with "Microsoft Visual C++ 2015-" and value "DisplayName" of it as string ends with " Redistributable (x64)") of keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries)} add prefetch item name=vc_redist.x64.exe sha1=d4f9181e70e3f1aa6c8edffcc15b3c3d4babe36b size=25234792 url=https://download.visualstudio.microsoft.com/download/pr/7331f052-6c2d-4890-8041-8058fee5fb0f/CE6593A1520591E7DEA2B93FD03116E3FC3B3821A0525322B0A430FAA6B3C0B4/VC_redist.x64.exe sha256=ce6593a1520591e7dea2b93fd03116e3fc3b3821a0525322b0a430faa6b3c0b4 endif end prefetch block // Install Visual C++ runtime if missing or outdated if {not exists (it as string as version) whose(it >= "14.32.31332.0") of values "DisplayVersion" of keys whose(value "DisplayName" of it as string starts with "Microsoft Visual C++ 2015-" and value "DisplayName" of it as string ends with " Redistributable (x64)") of keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of (x64 registries)} override wait hidden=true completion=job wait __Download\vc_redist.x64.exe /install /quiet /norestart endif // Extract yara if it is not already present if {not exists folders "yara" whose (exists files "yara64.exe" of it and exists files "yarac64.exe" of it and exists files "yara_version.txt" whose (key "YARA_VERSION" of it as string as version >= version "4.2.3") of it) of parent folder of parent folder of client folder of site "actionsite"} utility __Download/unzip.exe folder create "{pathname of parent folder of parent folder of client folder of site "actionsite"}/yara" parameter "yara_folder"="{pathnames of folders "yara" of parent folder of parent folder of client folder of site "actionsite"}" waithidden __Download/unzip.exe -oq "__Download/yara.zip" -d "{parameter "yara_folder"}" // yara64.exe does not contain version info blocks, so create a breadcrumb file for detection delete __appendfile appendfile YARA_VERSION=4.2.3 delete "{parameter "yara_folder"}\yara_version.txt" copy __appendfile "{parameter "yara_folder"}\yara_version.txt" // Exclude yara64.exe from Ms Antimalware On-Access scans to reduce system overhead while scanning action uses wow64 redirection false waithidden powershell.exe -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '{parameter "yara_folder"}\yara64.exe' endif parameter "signature_name"="OpenSSL_3_lower_307" action parameter query "target" with description "Enter scan target type ('localdrives' or 'path')" action parameter query "pathnames" with description "Path to scan if target is 'path', else leave blank" parameter "yara"="{pathname of parent folder of parent folder of client folder of site "actionsite"}\yara\yara64.exe" parameter "yarac"="{pathname of parent folder of parent folder of client folder of site "actionsite"}\yara\yarac64.exe" parameter "signature_folder"="{pathname of parent folder of parent folder of client folder of site "actionsite"}\yara\signatures" parameter "output_folder"="{pathname of parent folder of parent folder of client folder of site "actionsite"}\yara\results" parameter "output"="{parameter "output_folder"}\{parameter "signature_name"}.out" parameter "err_output"="{parameter "output_folder"}\{parameter "signature_name"}.err" parameter "script_output"="{parameter "output_folder"}\{parameter "signature_name"}.script.out" parameter "timeout"="21600" // Strip special characters out of the signature name to ensure it is valid as a filename parameter "signature_shortname"="{concatenation "_" of parenthesized parts 2 of matches (regex("([^a-zA-Z0-9]|^)([a-zA-Z0-9]+)([^a-zA-Z0-9]|$)")) of parameter "signature_name" }" parameter "signature_file"="{parameter "signature_folder"}\{parameter "signature_shortname"}.yar" parameter "compiled_rules_file"="{parameter "signature_folder"}\{parameter "signature_shortname"}.yarc" //parameter "scan_info"="{pathname of parent folder of parent folder of client folder of site "actionsite"}\yara\results\results-{id of action as string}.json" parameter "scan_info"="{pathname of parent folder of parent folder of client folder of site "actionsite"}\yara\results\results-{parameter "signature_shortname"}.json" folder create "{parameter "signature_folder"}" folder create "{parameter "output_folder"}" action uses wow64 redirection {not x64 of operating system} // Create yara signature for the scan delete __createfile createfile until BIGFIX_END_OF_FILE_MARKER import "pe" import "elf" rule OpenSSL_3_lower_307: executable_embedded_strings {{ strings: $re1 = /OpenSSL 3\.0\.[0-6]/ condition: (pe.is_pe or elf.type == elf.ET_EXEC or elf.type == elf.ET_DYN) and any of them } BIGFIX_END_OF_FILE_MARKER delete "{parameter "signature_file"}" copy __createfile "{parameter "signature_file"}" // Compile yara signature for the scan delete "{parameter "compiled_rules_file"}" delete __createfile createfile until EOF_EOF_EOF_EOF REM Create compiled YARA rules file "{parameter "yarac"}" {parameter "signature_shortname"}:"{parameter "signature_file"}" "{parameter "compiled_rules_file"}" EOF_EOF_EOF_EOF delete compile_yara_rules.cmd move __createfile compile_yara_rules.cmd waithidden cmd.exe /c compile_yara_rules.cmd // Abort action if we failed to compile yara rules continue if {exists file (parameter "compiled_rules_file")} // see https://yara.readthedocs.io/en/stable/commandline.html delete "{parameter "output"}" delete "{parameter "err_output"}" delete __createfile if {parameter "target" of action as lowercase = "path"} // Abort If a specific scan path is requested but no pathname supplied continue if {parameter "pathnames" of action as trimmed string != ""} parameter "scanoption"="specific path" createfile until EOF_EOF_EOF_EOF ECHO Scan specified path "{parameter "pathnames"}" "{parameter "yara"}" -C "{parameter "compiled_rules_file"}" -f -N -w -r --timeout={parameter "timeout"} --threads=1 {parameter "pathnames"} --print-strings >> "{parameter "output"}" 2>>"{parameter "err_output"}" EOF_EOF_EOF_EOF endif if {parameter "target" of action as lowercase = "localdrives"} parameter "scanoption"="all local drives" createfile until EOF_EOF_EOF_EOF echo Scan all local drives {concatenation "%0d%0a" of ("%22" & parameter "yara" & "%22 -C %22" & parameter "compiled_rules_file" & "%22 -f -N -w -r --timeout=" & parameter "timeout" & " --threads=1 " & it as string & " --print-strings >> %22" & parameter "output" & "%22 2>>%22" & parameter "err_output" & "%22") of root folders of drives whose (type of it = "DRIVE_FIXED")} EOF_EOF_EOF_EOF endif if {parameter "target" of action as lowercase = "processmemory"} parameter "scanoption"="process memory" createfile until EOF_EOF_EOF_EOF Echo Scan process memory TASKLIST {concatenation "%0d%0a" of ("%22" & parameter "yara" & "%22 -C %22" & parameter "compiled_rules_file" & "%22 -f -N -w --timeout=" & parameter "timeout" & " --threads=1 " & it as string & " --print-strings >> %22" & parameter "output" & "%22 2>>%22" & parameter "err_output" & "%22") of unique values of process ids of processes} EOF_EOF_EOF_EOF endif delete yara_scan.cmd copy __createfile yara_scan.cmd // Delete extraneous files which could contain copies of the signatures and false-positives delete __createfile delete __appendfile // Execute the scan parameter "scan-start-time"="{now}" waithidden cmd.exe /c "yara_scan.cmd > "{parameter "script_output"}" 2>&1" // Save scan settings and results file in JSON format for analysis delete __createfile createfile until EOF_EOF_EOF_EOF {{ "signature_shortname": "{parameter "signature_shortname"}", "scan_start_time": "{parameter "scan-start-time"}", "scan_completion_time": "{now}", "scan_duration_seconds": {(now - (parameter "scan-start-time" as time)) / second }, "scan_target": "{parameter "target"}", "scan_paths": "{concatenation "\\" of substrings separated by "\" of parameter "pathnames"}", "result_code": {exit code of action}, "results": [ { if (parameter "target" = "localdrives" or parameter "target"="path") then concatenation ",%0a" of ( "{%22Detection%22: %22" & item 0 of it & "%22, %22file%22: %22" & concatenation "\\" of substrings separated by "\" of item 1 of it & "%22, %22matched_strings%22: %22" & concatenation "\\" of substrings separated by "\" of (item 2 of it as string) & "%22}}") of (preceding text of first " " of item 0 of it, following text of first " " of item 0 of it, (if exists tuple items of item 1 of it then tuple items of item 1 of it as string else "")) of (tuple items whose (index of it = 0) of it as string, tuple string of (/* split of the indexes from the matched strings */(following texts of firsts ": " of (it as string)) of tuple items whose (index of it > 0) of it as string)) of ( tuple string of items 0 of (lines of item 0 of it, item 1 of it, item 2 of it) whose (line number of item 0 of it >= item 1 of it and line number of item 0 of it <= item 2 of it) of it) of (item 0 of it, item 1 of it, (minimum of items 1 of (item 1 of it, elements of item 2 of it) whose (item 0 of it < item 1 of it) - 1)| number of lines of item 0 of it) of (item 0 of it, elements of item 1 of it, item 1 of it) of (it, set of line numbers of lines whose (preceding text of first " " of it does not contain ":") of it) of files ( parameter "output" ) else ""} ] } EOF_EOF_EOF_EOF delete "{parameter "scan_info"}" copy __createfile "{parameter "scan_info"}" ]]>