Devices made by Dell, HP, and Lenovo are still using outdated versions of the OpenSSL cryptographic library, potentially introducing risks to the UEFI firmware supply chain ecosystem.

The discovery was made by researchers at firmware security company Binarly who examined firmware images across devices produced by the above mentioned firms.

The researchers analyzed one of the core frameworks EDKII used as a part of any UEFI firmware which has its own submodule and wrapper over the OpenSSL library (OpensslLib) in the CryptoPkg component.

EFI Development Kit (EDK) is a development code base for creating UEFI drivers, applications and firmware images.

While analysing Lenovo Thinkpad enterprise devices the company found that they used different versions of OpenSSL in the firmware image (0.9.8zb, 1.0.0a, and 1.0.2j), with the most recent OpenSSL version dating back to 2018. Moreover, one of the firmware modules named InfineonTpmUpdateDxe relied on OpenSSL version 0.9.8zb that was rolled out on August 4, 2014.

“In many cases, firmware is a single point of failure between all the layers of the supply chain and the endpoint customer device… Many of the security-related firmware modules contain significantly outdated versions of OpenSSL. Some of them like InfineonTpmUpdateDxe contain code known to be vulnerable for at least eight (8) years,” the researchers noted in a technical write-up.

It was further found that some of the firmware packages from Lenovo and Dell used an even older version (0.9.8l) released on November 5, 2009. HP's firmware code used a 10-year-old version of the library (0.9.8w).

“We see an urgent need for an extra layer of SBOM Validation when it comes to compiled code to validate on the binary level, the list of third-party dependency information that matches the actual SBOM provided by the vendor,” the researchers said. “A ‘trust-but-verify’ approach is the best way to deal with SBOM failures and reduce supply chain risks.”