We receive alerts in our vulnerability management tool. It mentions us that we use a version of open ssl (
3.0.8.0) that has known vulnerabilities. (CVE-2023-4807, CVE-2023-5363) is one of them. After performing an analysis we notices that its being used in the followin locations:
c:\program files (x86)\splashtop\splashtop remote\server\libcrypto-3.dll
c:\program files (x86)\splashtop\splashtop remote\server\libssl-3.dll
As I understand syncro is using splashtop software to perform remote connections and is causing those open vulnerabilities. Is it possible to update this?
Thanks !
1 Like
We need to run a script on all machines that need to meet FIPS compliance. Splashtop servers support FIPS-validated cryptographic modules. To configure Splashtop to use the FIPS-validated cryptographic modules, you need to set a Windows registry or download a FIPS-compliant application. Since those are both related to messaging you may want to run this on one of your endpoints and see if it still appears in the vulnerability report.
Requirements:
Splashtop Streamer or SOS app 3.3.2.0 or later
Splashtop Business app 3.3.2.0 or later
On the streamer (host/remote) computer with the streamer installed, set this registry: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\EnableFIPS to “1” (DWORD)
The Powershell script I use for this is:
Set Registry Key Path by checking is system is 64-bit
$RegistryKeyPath = “Registry::HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server”
Update key value
New-Itemproperty -path “$RegistryKeyPath” -Name “EnableFIPS” -value 1 -Force
#Restart the Splashtop Streamer Service
Restart-Service SplashtopRemoteService
Hi there,
Thanks for raising this! We’ve confirmed with Splashtop’s team that they’re aware of the issue and are preparing an update to their Streamer which includes upgrading Open SSL 3.0.8.0 to OpenSSL 3.0.12 which fixes the CVEs.
This update is set to go out in their next major release, v3.6.4.0, targeting early February release.
We’re awaiting more information from Splashtop’s team to provide partners, which we’ll continue to track and share in our Known Issue Board for this issue here:
https://community.syncromsp.com/t/rmm-known-vulnerability-in-latest-splashtop-streamer-version-3-6-2-1/14429
As we await more info from Splashtop’s team, we’ve had our security officer review this and we believe any potential impact to partners is low— Splashtop does not appear to consume the vulnerable dependency in a way that would put it at risk.
That said, we’ll continue to share updates as we have until their fix is released.
If you have any additional questions or concerns do not hesitate to ask or reach out to us at help@syncromsp.com for assistance.