Security News > 2022 > November > Dell, HP, and Lenovo Devices Found Using Outdated OpenSSL Versions

Dell, HP, and Lenovo Devices Found Using Outdated OpenSSL Versions
2022-11-25 11:15

An analysis of firmware images across devices from Dell, HP, and Lenovo has revealed the presence of outdated versions of the OpenSSL cryptographic library, underscoring a supply chain risk.

The firmware development environment, which is in its second iteration, comes with its own cryptographic package called CryptoPkg that, in turn, makes use of services from the OpenSSL project.

Per firmware security company Binarly, the firmware image associated with Lenovo Thinkpad enterprise devices was found to use three different versions of OpenSSL: 0.9.8zb, 1.0.0a, and 1.0.2j, the last of which was released in 2018.

What's more, one of the firmware modules named InfineonTpmUpdateDxe relied on OpenSSL version 0.9.8zb that was shipped on August 4, 2014.

The diversity of OpenSSL versions aside, some of the firmware packages from Lenovo and Dell utilized an even older version, which came out on November 5, 2009.

The fact that the device firmware uses multiple versions of OpenSSL in the same binary package highlights how third-party code dependencies can introduce more complexities in the supply chain ecosystem.


News URL

https://thehackernews.com/2022/11/dell-hp-and-lenovo-devices-found-using.html