28 November 2022

Dell, HP, Lenovo devices still using outdated OpenSSL versions


Dell, HP, Lenovo devices still using outdated OpenSSL versions

Devices made by Dell, HP, and Lenovo are still using outdated versions of the OpenSSL cryptographic library, potentially introducing risks to the UEFI firmware supply chain ecosystem.

The discovery was made by researchers at firmware security company Binarly who examined firmware images across devices produced by the above mentioned firms.

The researchers analyzed one of the core frameworks EDKII used as a part of any UEFI firmware which has its own submodule and wrapper over the OpenSSL library (OpensslLib) in the CryptoPkg component.

EFI Development Kit (EDK) is a development code base for creating UEFI drivers, applications and firmware images.

While analysing Lenovo Thinkpad enterprise devices the company found that they used different versions of OpenSSL in the firmware image (0.9.8zb, 1.0.0a, and 1.0.2j), with the most recent OpenSSL version dating back to 2018. Moreover, one of the firmware modules named InfineonTpmUpdateDxe relied on OpenSSL version 0.9.8zb that was rolled out on August 4, 2014.

“In many cases, firmware is a single point of failure between all the layers of the supply chain and the endpoint customer device… Many of the security-related firmware modules contain significantly outdated versions of OpenSSL. Some of them like InfineonTpmUpdateDxe contain code known to be vulnerable for at least eight (8) years,” the researchers noted in a technical write-up.

It was further found that some of the firmware packages from Lenovo and Dell used an even older version (0.9.8l) released on November 5, 2009. HP's firmware code used a 10-year-old version of the library (0.9.8w).

“We see an urgent need for an extra layer of SBOM Validation when it comes to compiled code to validate on the binary level, the list of third-party dependency information that matches the actual SBOM provided by the vendor,” the researchers said. “A ‘trust-but-verify’ approach is the best way to deal with SBOM failures and reduce supply chain risks.”


Back to the list

Latest Posts

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

Russia-linked Nodaria APT adds new Graphiron infostealer to its toolkit

The new infostealer was observed in attacks targeting Ukrainian organizations.
8 February 2023
CISA releases tool to recover encrypted VMware ESXi servers

CISA releases tool to recover encrypted VMware ESXi servers

According to CISA’s list of bitcoin addresses, over 2,800 ESXi servers have been encrypted to date.
8 February 2023
Threat actors target Ukrainian government agencies with Remcos spyware

Threat actors target Ukrainian government agencies with Remcos spyware

The attack involves a phishing email ostensibly sent by Ukrtelecom, a major Ukrainian internet service provider.
8 February 2023