Outdated OpenSSL Version used by major vendors
Researchers has discovered devices from Dell, HP, and Lenovo using outdated versions of the OpenSSL cryptographic library.
The OpenSSL software library allows secure communications over computer networks against eavesdropping or need to identify the party at the other end. OpenSSL contains an open-source implementation of the SSL and TLS protocols.
The experts analyzed EDKII, one of core framework used as a part of any UEFI firmware which has its own submodule and wrapper over the OpenSSL library in the CryptoPkg component. The main EDKII repository is hosted on Github and is frequently updated.
Researchers analyzed Lenovo Thinkpad enterprise devices and discovered that they used different versions of OpenSSL in the firmware image.
Lenovo Thinkpad enterprise devices used three different versions of OpenSSL: 0.9.8zb, 1.0.0a, and 1.0.2j. The most recent OpenSSL version was released in 2018.
Most of security-related firmware modules contain significantly outdated versions of OpenSSL. For instance the InfineonTpmUpdateDxe module is responsible for updating the firmware of Trusted Platform Module on the Infineon chip is lastly updated during 2014.
This denotes the supply chain problem with third-party dependencies when it looks like these dependencies never received an update, even for critical security issues.
The researchers also discovered that most recent OpenSSL version is used by on Lenovo enterprise devices and dates back to 2021.
The experts noticed that devices from Dell and Lenovo relied on version 0.9.8l that dates back to 2009. Some Lenovo devices used the version 1.0.0a that dates back 2010, while the three vendors were observed using version 0.9.8w that dates back 2012.
There is a need for an extra layer of SBOM Validation when it comes to compiled code to validate on the binary level, the list of third-party dependency information that matches the actual SBOM provided by the vendor.
This research was documented by researchers from binarly.