Researchers found that devices from Dell, HP, and Lenovo are still using outdated versions of the OpenSSL cryptographic library.
Binary researchers found that devices from Dell, HP, and Lenovo are still using outdated versions of the OpenSSL cryptographic library.
The OpenSSL software library helps secure communications over computer networks against eavesdropping or the need to identify the party on the other end. OpenSSL contains an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
Researchers discovered the issue by analyzing firmware images used by devices from the manufacturers above.
Experts analyzed one of the core EDKII frameworks used as part of any UEFI firmware which has its own submodule and wrapper on the OpenSSL library (OpensslLib) in the CryptoPkg component.
EDK II is a modern, feature-rich cross-platform firmware development environment for UEFI and UEFI Platform Initialization (PI) specifications.
The main EDKII repository is hosted on Github and is frequently updated.
Experts first analyzed Lenovo Thinkpad enterprise devices and found that they used different versions of OpenSSL in the firmware image.
Lenovo Thinkpad enterprise devices used three different versions of OpenSSL: 0.9.8zb, 1.0.0a, and 1.0.2j. The most recent version of OpenSSL was released in 2018.
“Many security-related firmware modules contain significantly outdated versions of OpenSSL. Some of them like InfineonTpmUpdateDxe contain code known to be vulnerable for at least eight (8) years. reads the report published by Binarly. “The InfineonTpmUpdateDxe module is responsible for updating the Trusted Platform Module (TPM) firmware on the Infineon chip. This clearly points to the problem in the supply chain with third-party dependencies when it appears that those dependencies never received an update, even for critical security issues.
One of the firmware modules named InfineonTpmUpdateDxe uses OpenSSL version 0.9.8zb released on August 4, 2014.
Researchers found that the most recent version of OpenSSL is used by Lenovo enterprise devices and dates back to summer 2021.
The following image reports for each provider all versions of OpenSSL detected by the platform binary in the wild:
Experts pointed out that the same device firmware code often relies on different versions of OpenSSL.
The reason for this design choice is that the third-party code supply chain depends on their own code base, which is often not available to device firmware developers. The researchers explained that this introduces an additional layer of complexity into the supply chain.
“Most OpenSSL dependencies are statically linked as libraries to specific firmware modules that create compile-time dependencies that are difficult to identify without deep code analysis capabilities.” continues the report. “Historically, the problem of third-party code dependencies is not an easily solved problem at the compiled code level.”
Experts have noticed that devices from Dell and Lenovo are based on version 0.9.8l dating back to 2009.
Some Lenovo devices were using version 1.0.0a which is from 2010, while all three vendors (Lenovo, Dell, HP) were observed using version 0.9.8w which is from 2012.
“We see an urgent need for an additional layer of SBOM validation with respect to compiled code to validate at the binary level, the list of third-party dependency information that matches the actual SBOM provided by the vendor,” the report concludes. “A ‘trust but verify’ approach is the best way to manage SBOM failures and reduce supply chain risk. »
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(Security cases – hacking, firmware)
#Devices #Dell #Lenovo #outdated #OpenSSL #versions