Microsoft PowerBI Desktop includes OpenSSL v3.0.9 DLLs which are vulnerable to 4 published Security Vulnerabilities

[AScott-WWF]

Hello,

I appreciate this is the Github repository for PowerBI-Desktop-Samples and not the PowerBI Desktop application, but as there does not seem to be a way to raise this issue with the PowerBI desktop developers directly I am hoping if I raise it here, someone will see this and action - maybe so we can see a new release of the product with the vulnerabilities fixed / removed?

I raised a report for security vulnerabilities which exist when the PowerBI Desktop application is installed - Frustratingly this was rejected by MSRC because I did not supply a POC (explodinghead):

It appears that you are reporting out of date libraries, but no proof of concept is provided. While there are risks associated with specific functionality within the library, it does not mean we are using the vulnerable codes within the library. In order to investigate your report specifically, I will need a valid proof of concept (POC) ideally with images or video, the detailed steps to reproduce the problem, and how an attacker could use it to exploit another user.

This report is currently here: Microsoft PowerBI Desktop includes OpenSSL v3.0.9 DLLs which are vulnerable to 4 published Security Vulnerabilities

But, in case this ticket gets closed / removed - in my report I state:

Within the default install of Microsoft PowerBI Desktop (build: 2.123.742.0, (also affected 2.123.684.0 & 2.121.782.0)) there are 8 OpenSSL v3.0.9 DLLs which is currently vulnerable to 4 published CVEs

The specific CVE raised against this vulnerability report (CVE-2023-5363) affects Incorrect cipher key & IV length processing of MODERATE severity fixed on 24 October 2023

Under the default user install path, These files are found below here: c:\program files\windowsapps\microsoft.microsoftpowerbidesktop_2.123.742.0_x64__8wekyb3d8bbwe\bin\odbc drivers\simba spark odbc driver\

Using the following Powershell to show the evidence

Get-ChildItem *libcrypt*.dll,*libssl*.dll,*openssl.exe -Recurse -Force -ErrorAction SilentlyContinue | Select-Object versioninfo -ExpandProperty versioninfo | Sort-Object ProductVersion,FileVersionRaw,Filename | Select-Object ProductVersion,FileVersionRaw,Filename | ft -auto

Returns the following results:

ProductVersion FileVersionRaw FileName
-------------- -------------- --------
3.0.9         3.0.9.0        c:\program files\windowsapps\microsoft.microsoftpowerbidesktop_2.123.742.0_x64__8wekyb3d8bbwe\bin\odbc drivers\simba spark odbc driver\libcurl64.dlla\openssl64.dlla\libcrypto-3-x64.dll
3.0.9         3.0.9.0        c:\program files\windowsapps\microsoft.microsoftpowerbidesktop_2.123.742.0_x64__8wekyb3d8bbwe\bin\odbc drivers\simba spark odbc driver\libcurl64.dlla\openssl64.dlla\libssl-3-x64.dll
3.0.9         3.0.9.0        c:\program files\windowsapps\microsoft.microsoftpowerbidesktop_2.123.742.0_x64__8wekyb3d8bbwe\bin\odbc drivers\simba spark odbc driver\openssl64.dlla\libcrypto-3-x64.dll
3.0.9         3.0.9.0        c:\program files\windowsapps\microsoft.microsoftpowerbidesktop_2.123.742.0_x64__8wekyb3d8bbwe\bin\odbc drivers\simba spark odbc driver\openssl64.dlla\libssl-3-x64.dll
3.0.9         3.0.9.0        c:\program files\windowsapps\microsoft.microsoftpowerbidesktop_2.123.742.0_x64__8wekyb3d8bbwe\bin\odbc drivers\simba trino odbc driver\libcurl64.dlla\openssl64.dlla\libcrypto-3-x64.dll
3.0.9         3.0.9.0        c:\program files\windowsapps\microsoft.microsoftpowerbidesktop_2.123.742.0_x64__8wekyb3d8bbwe\bin\odbc drivers\simba trino odbc driver\libcurl64.dlla\openssl64.dlla\libssl-3-x64.dll
3.0.9         3.0.9.0        c:\program files\windowsapps\microsoft.microsoftpowerbidesktop_2.123.742.0_x64__8wekyb3d8bbwe\bin\odbc drivers\simba trino odbc driver\openssl64.dlla\libcrypto-3-x64.dll
3.0.9         3.0.9.0        c:\program files\windowsapps\microsoft.microsoftpowerbidesktop_2.123.742.0_x64__8wekyb3d8bbwe\bin\odbc drivers\simba trino odbc driver\openssl64.dlla\libssl-3-x64.dll

Full list of OpenSSL v3.0 vulnerabilities are published here on the OpenSSL website: https://www.openssl.org/news/vulnerabilities-3.0.html

The current list of available (and supported) OpenSSL versions for download is here on the OpenSSL website: https://www.openssl.org/source/

These 3rd Party OpenSSL DLLs should to be updated to the latest available version with each new release of the PowerBI Desktop install to ensure you are not exposing your customers to existing vulnerabilities.

Maybe someone on the PowerBI development team can respond?

[yelper]

I'll pass it along, thanks!

[yelper]

A POC is required for any submission to MSRC in order to prioritize issues. I have additional detail if you want to directly e-mail me (see contact on my webpage), but your enterprise support resourse should be able to provide more detail on this process or allow you to open a case for third-party issues.

It is possible to disable certain third-party drivers in a bundled Desktop release, let me know if that's a path you want to take and I'll hunt down more info.

[AScott-WWF]

Thanks Alper,

Ideally we would like to have the option not to deploy these 3rd Party drivers because as a customer we have no way to update the installer - or at least there doesn't appear to be a way that is documented that we can choose not to install these 3rd Party files, but maybe what would be even better is a method to uninstall them once the product is installed.

I'm unsure how that would be possible when the product is deployed from the Microsoft Store (Almost certainly with a fixed install routine) - With an MSI install for example we could theoretically create an MST file with the install options pre-configured, so we only install the app as we want it.

N.B. The cause of this issue is the existence of the "simba spark odbc drivers" which appear time and again across multiple Microsoft Applications (Office 365, SQL Server Management Studio (all versions) & PowerBI Desktop to name a few) - My preference would be to give your customers the option 'NOT' to install these drivers during the install, thus reducing the attack surface of the product.

[yelper]

Please e-mail me (first.last@); apparently we provide such installers on a case-by-case basis.