Dell, HP, and Lenovo Devices Use Older Versions of OpenSSL

older versions of OpenSSL

Many Dell, HP and Lenovo devices use old and insecure versions of OpenSSL, as Binarly warns.

Let me remind you that we also wrote that OpenSSL Fixes First Critical Vulnerability Since 2016, and also that OpenSSL Patches Released and Critical Vulnerability Turns Out to be Not So Critical.

The problem lies in the EFI Development Kit II (EDK II) open-source environment, since EDK II comes with its own cryptographic package, CryptoPkg, which, in turn, relies on OpenSSL. As a result, according to the researchers, the firmware associated with corporate Lenovo Thinkpad devices uses three different versions of OpenSSL at once (0.9.8zb, 1.0.0a and 1.0.2j), the newest of which was released in 2018.

Moreover, one of the firmware modules (InfineonTpmUpdateDxe) does rely on OpenSSL version 0.9.8zb, released on August 4, 2014.

older versions of OpenSSL

In addition to the OpenSSL versions listed, some Lenovo and Dell firmware also use an even older version (0.9.8l) that was released on November 5, 2009. The HP firmware code also used a 10-year-old version of OpenSSL (0.9.8w).

ManufacturerOpenSSL VersionRelease date
Lenovo, Dell0.9.8lNovember 05, 2009
Lenovo, Dell, HP0.9.8wApril 24, 2012
Lenovo HP0.9.8zbAugust 06, 2014
Lenovo0.9.8zdJanuary 08, 2015
Lenovo0.9.8zeJanuary 15, 2015
Lenovo0.9.8zfMarch 19, 2015
Lenovo1.0.0aJune 01, 2010
Lenovo1.0.2dJuly 09, 2015
Lenovo1.0.2fJanuary 28, 2016
Lenovo, Dell1.0.2gMarch 01, 2016
Lenovo1.0.2hMay 03, 2016
Lenovo, Dell, HP1.0.2jSeptember 26, 2016
Lenovo, Dell1.0.2kJanuary 26, 2017
Lenovo, Dell, HP1.0.2uDecember 20, 2019
Lenovo1.1.0bSeptember 26, 2016
Lenovo1.1.0gNovember 02, 2017
Lenovo, Dell1.1.0hMarch 27, 2018
Lenovo, Dell1.1.0jNovember 20, 2018
Lenovo1.1.1dSeptember 10, 2019
Lenovo, Dell1.1.1lAugust 24, 2021
Dell1.1.0eFebruary 16, 2017
Dell1.1.1nMarch 15, 2022
All this clearly points to the problem of supply chains with third-party dependencies, and it seems that these dependencies never get updated even for critical problems.the experts write.

Binarly’s report highlights that the issue that was discovered clearly illustrates a situation where third-party dependencies significantly complicate the supply chain ecosystem, as in this case.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published. Required fields are marked *