Dell, HP, and Lenovo Devices Found Using Outdated OpenSSL Versions

2022-11-25 11:15

An analysis of firmware images across devices from Dell, HP, and Lenovo has revealed the presence of outdated versions of the OpenSSL cryptographic library, underscoring a supply chain risk.

The firmware development environment, which is in its second iteration, comes with its own cryptographic package called CryptoPkg that, in turn, makes use of services from the OpenSSL project.

Per firmware security company Binarly, the firmware image associated with Lenovo Thinkpad enterprise devices was found to use three different versions of OpenSSL: 0.9.8zb, 1.0.0a, and 1.0.2j, the last of which was released in 2018.

What's more, one of the firmware modules named InfineonTpmUpdateDxe relied on OpenSSL version 0.9.8zb that was shipped on August 4, 2014.

The diversity of OpenSSL versions aside, some of the firmware packages from Lenovo and Dell utilized an even older version, which came out on November 5, 2009.

The fact that the device firmware uses multiple versions of OpenSSL in the same binary package highlights how third-party code dependencies can introduce more complexities in the supply chain ecosystem.

News URL

https://thehackernews.com/2022/11/dell-hp-and-lenovo-devices-found-using.html

#dell #HP #lenovo #openssl

Related vendor

VENDOR	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
HP	8950	139	728	500	670	2037
Dell	1764	98	476	312	95	981
Lenovo	3015	32	211	119	17	379
Openssl	2	12	97	52	17	178