1

My C code uses librypto.a library to link to the compiled source code at the final stage for implementing RSA algorithm. When a vulnerability scan was done, it comes back with a YARA signature match for the following:

YARA signature "ldpreload" classified file as as "backdoor" based on indicators: "dlopen,dlsym,fopen,fopen64,__fxstat,accept,Accept,open,Open,OPEN,opendir,readdir"

This is because I use the libcrypto.a library from Open SSL. I thought this is a widely used library for implementing crypro algorithms. How to mitigate this issue? Should try to get this whitelisted as I was not able to find any other way of implementing RSA in C without having to use OpenSSL libraries.

JIST
  • 1,139
  • 2
  • 8
  • 30
Sundar
  • 11
  • 1
  • 1
    [YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify **malware samples**.](https://virustotal.github.io/yara/) YARA is **not** a vulnerability scanner. It's a tool to classify executables that are already known to be malware. You need to ignore this. It appears to be rule to flag all code that calls the listed functions "dlopen,dlsym,fopen,fopen64,__fxstat,accept,Accept,open,Open,OPEN,opendir,readdir", which is just about **all** code. Who knew calling `open()` or even that evil backdoor `fopen64()` is something only malware does? – Andrew Henle Mar 28 '22 at 08:12

0 Answers0