Computer manufacturers Dell, HP, and Lenovo were using outdated versions of the OpenSSL cryptographic library, found researchers at AI-powered firmware protection firm Binarly. They discovered critical vulnerabilities within multiple electronics manufacturers’ systems.
OpenSSL offers a standard cryptography library in layman’s language that provides an open-source implementation of Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is used to provide better security over the communication aspect of a computer network against cyberattacks. It is primarily used by internet servers and the majority of critical infrastructure-based companies using HTTPS websites.
Outdated OpenSSL version: a supply chain risk
By now, many Linux distributions and other software packages (including firmware) are already suffering from a new set of vulnerabilities in OpenSSL. These vulnerabilities can manifest themselves in several ways, and popular products from brands like Dell, HP, and Lenovo are the main target of these potential exploits.
According to Binarly, the vulnerabilities broadly target the EFI Development Kit, an open-source implementation of the UEFI, which is one of the two parts that the operating system serves as a bridge. Within this product, firmware exists OpenSSL that provides aid to the connection between all the devices and ports to work simultaneously. The latter (hardware) then connects to the firmware when the OS works as a bridge to combine the two.
In a supply chain, firmware holds a critical position, and failing to protect it could be detrimental to other parts of the operation, including problems at the vendor and customers’ end. The three versions being questioned for posing a risk include 0.9.8zb, 1.0.0a, and 1.0.2j. These outdated versions were analyzed, and it was found that several bugs were present in them and their respective devices.
The researchers claim that many of Lenovo and Dell’s firmware packages still use an older version of OpenSSL (0.9.8l), which has become outdated with time because it was released ten years prior, i.e., November 5, 2009. HP’s firmware also depends on a 10-year-old library (0.9.8w), which poses a risk to devices associated with these brands.