Tuesday, November 29, 2022
HomeCyber SecurityDell, HP, and Lenovo Units Discovered Utilizing Outdated OpenSSL Variations

Dell, HP, and Lenovo Units Discovered Utilizing Outdated OpenSSL Variations


An evaluation of firmware photographs throughout gadgets from Dell, HP, and Lenovo has revealed the presence of outdated variations of the OpenSSL cryptographic library, underscoring a provide chain danger.

EFI Growth Equipment, aka EDK, is an open supply implementation of the Unified Extensible Firmware Interface (UEFI), which features as an interface between the working system and the firmware embedded within the machine’s {hardware}.

The firmware improvement surroundings, which is in its second iteration (EDK II), comes with its personal cryptographic bundle referred to as CryptoPkg that, in flip, makes use of companies from the OpenSSL challenge.

Per firmware safety firm Binarly, the firmware picture related to Lenovo Thinkpad enterprise gadgets was discovered to make use of three totally different variations of OpenSSL: 0.9.8zb, 1.0.0a, and 1.0.2j, the final of which was launched in 2018.

What’s extra, one of many firmware modules named InfineonTpmUpdateDxe relied on OpenSSL model 0.9.8zb that was shipped on August 4, 2014.

“The InfineonTpmUpdateDxe module is chargeable for updating the firmware of Trusted Platform Module (TPM) on the Infineon chip,” Binarly defined in a technical write-up final week.

OpenSSL Versions

“This clearly signifies the provision chain drawback with third-party dependencies when it seems like these dependencies by no means obtained an replace, even for essential safety points.”

The range of OpenSSL variations apart, a number of the firmware packages from Lenovo and Dell utilized a good older model (0.9.8l), which got here out on November 5, 2009. HP’s firmware code, likewise, used a 10-year-old model of the library (0.9.8w).

The truth that the machine firmware makes use of a number of variations of OpenSSL in the identical binary bundle highlights how third-party code dependencies can introduce extra complexities within the provide chain ecosystem.

Binarly additional identified the weaknesses in what’s referred to as a Software program Invoice of Supplies (SBOM) that arises because of integrating compiled binary modules (aka closed supply) within the firmware.

“We see an pressing want for an additional layer of SBOM Validation on the subject of compiled code to validate on the binary stage, the listing of third-party dependency data that matches the precise SBOM offered by the seller,” the corporate mentioned.

“A ‘trust-but-verify’ method is one of the simplest ways to cope with SBOM failures and scale back provide chain dangers.”



RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments