Dell, HP, and Lenovo devices use outdated versions of OpenSSL to secure transactions

The researchers found that devices from Dell, HP, and Lenovo were still using outdated versions of the OpenSSL encryption library.

Binarly researchers found that Dell, HP, and Lenovo devices are still using outdated versions of the OpenSSL encryption library.

The OpenSSL software library allows secure communication over a computer network, preventing eavesdropping or the need to identify one party at the other end. OpenSSL includes open source implementations of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

The researchers discovered the issue by analyzing firmware images of devices used by the aforementioned manufacturers.

The experts analyzed one of the EDKII core frameworks used as part of any UEFI firmware that has its own submodule and wrapper on the OpenSSL library (OpensslLib) in the CryptoPkg component.

EDK II is a modern, feature-rich, cross-platform firmware development environment for UEFI and the UEFI Platform Initialization (PI) specification.

The main EDKII repository is hosted on Github and is updated frequently.

The experts first analyzed Lenovo Thinkpad enterprise devices and found that they used different versions of OpenSSL in their firmware images.

Lenovo Thinkpad Enterprise devices use three different versions of OpenSSL: 0.9.8zb, 1.0.0a, and 1.0.2j. The latest OpenSSL version was released in 2018.

“Many security-related firmware modules contain apparently outdated versions of OpenSSL. Some of them, like InfineonTpmUpdateDxe, contain code that has been known to be vulnerable for at least eight (8) years.” Read the report published by Binarly. “The InfineonTpmUpdateDxe module is responsible for updating the firmware of the Trusted Platform Module (TPM) on Infineon chips. This is a clear indication of a supply chain problem with third-party dependencies when it appears that these dependencies never receive updates, even for The same goes for critical security issues.”

One of the firmware modules, named InfineonTpmUpdateDxe, uses OpenSSL version 0.9.8zb released on August 4, 2014.

The researchers found that the latest OpenSSL version used on Lenovo enterprise devices dates back to the summer of 2021.

The graph below reports all OpenSSL versions detected in the wild by Binarly Platform for each vendor:

OpenSSL provider

Experts point out that the same device firmware code often depends on different versions of OpenSSL.

This design was chosen because the supply chain for third-party code relies on their own code bases, which are often not available to device firmware developers. This adds complexity to the supply chain, the researchers explained.

“Most OpenSSL dependencies are statically linked as libraries to specific firmware modules, which create compile-time dependencies that are difficult to identify without in-depth code analysis capabilities.” continues the report. “Historically, issues in third-party code dependencies have not been an easy problem to fix at the compiled code level.”

Experts noted that Dell and Lenovo devices depend on version 0.9.8l dating back to 2009.

Some Lenovo devices were using version 1.0.0a from 2010, while three vendors (Lenovo, Dell, HP) were observed using version 0.9.8w from 2012.

“When it comes to compiling code for verification at the binary level, we see an urgent need for an additional layer of SBOM verification, with lists of third-party dependency information matching the actual SBOM provided by the vendor,” the report concluded. “The ‘trust but verify’ approach is the best way to handle SBOM failures and reduce supply chain risk.”

Follow me on Twitter: @securityaffairs and Facebook and mastodon

Pierluigi Paganini

(security affairs hacking, firmware)

Leave a Reply

Your email address will not be published. Required fields are marked *