This might be helpful / insightful for some, so I’ll share…
Defender XDR portal (MDE agent) detected OpenSSL vuln. CVE-2024-12797 and CVE-2024-13176 with all our installed Rapid7 Insight agents ver. 4.0.17. The path proof provided was ‘c:\program files\rapid7\insight agent\components\insight_agent\4.0.17.21\lib\libcrypto-3-x64.dll’
However, InsightVM did not report this.
After confirming with R7 support:
Our Insight Agent (latest agent version using OpenSSL version 3.4.0.0) are not vulnerable to these CVEs:
CVE-2024-12797 - Medium The Insight Agent and the Rapid7 servers do not use Raw Public Keys (RPKs) at all and therefore has no real vulnerability from this CVE.
CVE-2024-13176 - Low The Insight Agent does not use ECDSA signature computations.
Any updates on this? Is 4.0.17.21 still the most current version of the agent? I’m I correctly reading that Rapid7 agent 4.0.17.21 is not considered vulnerable to CVE-2024-12797 even though it has the two suspect DLLs? It would be helpful if there eventually is a version of the Rapid7 agent that has newer or zero OpenSSL DLLs, so that Microsoft Defender stops flagging it.
Since we have deployed the Insight Agent on all of our Windows clients, this finding has accumulated significantly. My team colleagues are already joking that MY security software is actively contributing to our daily battle against vulnerabilities.
