Firmware analysis from Dell, HP and Lenovo revealed the presence of obsolete versions of the OpenSSL cryptographic library, which creates additional risks for supply chains.
EFI DEV KIT is a development code that is used for applications, images of microprograms and UEFI drivers. And the EFI Development Kit II is supplied with its own cryptographic package Cryptopkg, which uses the OpenSSL project services.
According to Binarl, Lenovo ThinkPad’s firmware, three different versions of Opensl: 0.9.8ZB, 1.0.0A and 1.0.2J, the last of which were released in 2018. Moreover, one of the firmware modules called Infineontpmupdatedxe used Openssl versions 0.9.8zb, which was released on August 4, 2014.
“Infineontpmupdatedxe module is responsible for updating Trusted Platform Module (TPM) on the Infineon chip,” Binarly specialists write.
According to them, this situation clearly indicates the problem of supply chains with third -party dependencies that do not receive corrections even for critical vulnerabilities.
It is worth noting that some bags of Lenovo and Dell firmware used an even older version (0.9.8L), which was released on November 5, 2009. HP has a similar problem – some firmware uses the OpenSSL version of 10 years ago (0.9.8W).