"Dell, HP, and Lenovo Devices Found Using Outdated OpenSSL Versions"

An examination of firmware images from Dell, HP, and Lenovo devices revealed the presence of outdated versions of the OpenSSL cryptographic library, highlighting a supply chain risk. The EFI Development Kit (EDK) is an open-source implementation of the Unified Extensible Firmware Interface (UEFI), which serves as an interface between the operating system and the firmware embedded in the hardware of a device. The firmware development environment, now in its second iteration (EDK II), includes its own cryptographic package called CryptoPkg, which uses OpenSSL project services. The firmware image associated with Lenovo Thinkpad enterprise devices was discovered to use three different versions of OpenSSL: 0.9.8zb, 1.0.0a, and 1.0.2j, the last of which was released in 2018. Furthermore, one of the firmware modules called "InfineonTpmUpdateDxe" relied on OpenSSL version 0.9.8zb, which was released on August 4, 2014, and is responsible for updating the firmware of the Trusted Platform Module (TPM) on the Infineon chip, according to Binarly. This indicates a problem with the supply chain with third-party dependencies when it appears that these dependencies were never updated, even for critical security issues. The fact that the device firmware uses multiple versions of OpenSSL in the same binary package demonstrates how third-party code dependencies can complicate the supply chain ecosystem. Binarly also pointed out flaws in a Software Bill of Materials (SBOM), which arises from integrating compiled binary modules, also known as closed-source in firmware. This article continues to discuss the use of outdated OpenSSL versions by Dell, HP, and Lenovo devices. 

THN reports "Dell, HP, and Lenovo Devices Found Using Outdated OpenSSL Versions"