28 November 2022

Dell, HP, Lenovo devices still using outdated OpenSSL versions


Dell, HP, Lenovo devices still using outdated OpenSSL versions

Devices made by Dell, HP, and Lenovo are still using outdated versions of the OpenSSL cryptographic library, potentially introducing risks to the UEFI firmware supply chain ecosystem.

The discovery was made by researchers at firmware security company Binarly who examined firmware images across devices produced by the above mentioned firms.

The researchers analyzed one of the core frameworks EDKII used as a part of any UEFI firmware which has its own submodule and wrapper over the OpenSSL library (OpensslLib) in the CryptoPkg component.

EFI Development Kit (EDK) is a development code base for creating UEFI drivers, applications and firmware images.

While analysing Lenovo Thinkpad enterprise devices the company found that they used different versions of OpenSSL in the firmware image (0.9.8zb, 1.0.0a, and 1.0.2j), with the most recent OpenSSL version dating back to 2018. Moreover, one of the firmware modules named InfineonTpmUpdateDxe relied on OpenSSL version 0.9.8zb that was rolled out on August 4, 2014.

“In many cases, firmware is a single point of failure between all the layers of the supply chain and the endpoint customer device… Many of the security-related firmware modules contain significantly outdated versions of OpenSSL. Some of them like InfineonTpmUpdateDxe contain code known to be vulnerable for at least eight (8) years,” the researchers noted in a technical write-up.

It was further found that some of the firmware packages from Lenovo and Dell used an even older version (0.9.8l) released on November 5, 2009. HP's firmware code used a 10-year-old version of the library (0.9.8w).

“We see an urgent need for an extra layer of SBOM Validation when it comes to compiled code to validate on the binary level, the list of third-party dependency information that matches the actual SBOM provided by the vendor,” the researchers said. “A ‘trust-but-verify’ approach is the best way to deal with SBOM failures and reduce supply chain risks.”


Back to the list

Latest Posts

Five Eyes partners detail new tactics of Russian military hackers APT29

Five Eyes partners detail new tactics of Russian military hackers APT29

In the past year, APT29 has been observed pilfering system-issued access tokens to infiltrate victim accounts.
26 February 2024
Canada's national police force targeted in a cyberattack

Canada's national police force targeted in a cyberattack

The RCMP has initiated an investigation into the incident to assess the full extent of the breach.
26 February 2024
Threat actor UAC-0149 targets Armed Forces of Ukraine with Cookbox backdoor

Threat actor UAC-0149 targets Armed Forces of Ukraine with Cookbox backdoor

The campaign has been ongoing since at least autumn 2023.
26 February 2024