Many Dell, HP and Lenovo devices use old and insecure versions of OpenSSL, as Binarly warns.
Let me remind you that we also wrote that OpenSSL Fixes First Critical Vulnerability Since 2016, and also that OpenSSL Patches Released and Critical Vulnerability Turns Out to be Not So Critical.
The problem lies in the EFI Development Kit II (EDK II) open-source environment, since EDK II comes with its own cryptographic package, CryptoPkg, which, in turn, relies on OpenSSL. As a result, according to the researchers, the firmware associated with corporate Lenovo Thinkpad devices uses three different versions of OpenSSL at once (0.9.8zb, 1.0.0a and 1.0.2j), the newest of which was released in 2018.
Moreover, one of the firmware modules (InfineonTpmUpdateDxe) does rely on OpenSSL version 0.9.8zb, released on August 4, 2014.
In addition to the OpenSSL versions listed, some Lenovo and Dell firmware also use an even older version (0.9.8l) that was released on November 5, 2009. The HP firmware code also used a 10-year-old version of OpenSSL (0.9.8w).
| Manufacturer | OpenSSL Version | Release date |
| Lenovo, Dell | 0.9.8l | November 05, 2009 |
| Lenovo, Dell, HP | 0.9.8w | April 24, 2012 |
| Lenovo HP | 0.9.8zb | August 06, 2014 |
| Lenovo | 0.9.8zd | January 08, 2015 |
| Lenovo | 0.9.8ze | January 15, 2015 |
| Lenovo | 0.9.8zf | March 19, 2015 |
| Lenovo | 1.0.0a | June 01, 2010 |
| Lenovo | 1.0.2d | July 09, 2015 |
| Lenovo | 1.0.2f | January 28, 2016 |
| Lenovo, Dell | 1.0.2g | March 01, 2016 |
| Lenovo | 1.0.2h | May 03, 2016 |
| Lenovo, Dell, HP | 1.0.2j | September 26, 2016 |
| Lenovo, Dell | 1.0.2k | January 26, 2017 |
| Lenovo, Dell, HP | 1.0.2u | December 20, 2019 |
| Lenovo | 1.1.0b | September 26, 2016 |
| Lenovo | 1.1.0g | November 02, 2017 |
| Lenovo, Dell | 1.1.0h | March 27, 2018 |
| Lenovo, Dell | 1.1.0j | November 20, 2018 |
| Lenovo | 1.1.1d | September 10, 2019 |
| Lenovo, Dell | 1.1.1l | August 24, 2021 |
| Dell | 1.1.0e | February 16, 2017 |
| Dell | 1.1.1n | March 15, 2022 |
Binarly’s report highlights that the issue that was discovered clearly illustrates a situation where third-party dependencies significantly complicate the supply chain ecosystem, as in this case.
