Dell, HP, and Lenovo Devices Found Using Outdated OpenSSL Versions

2022-11-25 11:15

An analysis of firmware images across devices from Dell, HP, and Lenovo has revealed the presence of outdated versions of the OpenSSL cryptographic library, underscoring a supply chain risk.

The firmware development environment, which is in its second iteration, comes with its own cryptographic package called CryptoPkg that, in turn, makes use of services from the OpenSSL project.

Per firmware security company Binarly, the firmware image associated with Lenovo Thinkpad enterprise devices was found to use three different versions of OpenSSL: 0.9.8zb, 1.0.0a, and 1.0.2j, the last of which was released in 2018.

What's more, one of the firmware modules named InfineonTpmUpdateDxe relied on OpenSSL version 0.9.8zb that was shipped on August 4, 2014.

The diversity of OpenSSL versions aside, some of the firmware packages from Lenovo and Dell utilized an even older version, which came out on November 5, 2009.

The fact that the device firmware uses multiple versions of OpenSSL in the same binary package highlights how third-party code dependencies can introduce more complexities in the supply chain ecosystem.

News URL

https://thehackernews.com/2022/11/dell-hp-and-lenovo-devices-found-using.html

#dell #HP #lenovo #openssl

Related vendor

VENDOR	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
HP	6796	19	249	488	237	993
Dell	1664	29	430	411	109	979
Lenovo	2278	5	177	158	16	356
Openssl	1	7	48	51	13	119