Monday, April 28, 2025
HomeCyber security CourseDell, HP, & Lenovo System Found Using Outdated OpenSSL Cryptographic Library

Dell, HP, & Lenovo System Found Using Outdated OpenSSL Cryptographic Library

Published on

SIEM as a Service

Follow Us on Google News

The cybersecurity researchers at Binarly recently discovered that outdated versions of the OpenSSL cryptographic library are still being used by the following companies on their devices:- 

  • Dell
  • HP
  • Lenovo 

OpenSSL cryptographic library versions that are outdated provide a risk to the supply chain due to their outdated versions.

Core Issue

An open-source implementation of the UEFI is the EFI Development Kit, which is also known as EDK, which is an EFI as well. In this sense, the operating system functions as an interface between the firmware embedded within the hardware of the device and the operating system.

- Advertisement - Google News

There is a cryptographic package built into the firmware development environment called CryptoPkg which, as a result, uses services from the OpenSSL project to provide cryptographic services within the firmware.

Several versions of OpenSSL have been found to be part of the firmware images associated with Lenovo Thinkpad enterprise devices, and here below we have mentioned all three versions of OpenSSL:- 

  • 0.9.8zb
  • 1.0.0a
  • 1.0.2j

There is one module in the firmware that relies on OpenSSL version 0.9.8zb which was released on August 4, 2014, known as InfineonTpmUpdateDxe. The Secure socket layer (SSL) and transport layer security (TLS) are open-source protocols that are implemented by OpenSSL.

On a regular basis, EDKII’s Github repository is updated and security issues are addressed by the developer community. A number of firmware images used by the above manufacturers were analyzed to determine if the issue was present in their devices.

Let’s have a look at how the different versions of OpenSSL related to the main enterprise vendors and how each version is linked to their release date for better understanding:-

OpenSSL Versions in Firmware

Oftentimes, firmware can be regarded as a single point of failure among all layers of a supply chain as well as the end-user devices at the end of the chain.

Recently, Microsoft highlighted the following key point:-

“There were at least 10 critical vulnerabilities identified in 32% of firmware images examined.”

Weakness Firmware images

While it is estimated that at least two or three vulnerabilities in firmware are present in about 20% of firmware updates.

In the summer of 2021, Lenovo enterprise devices were using the most recent version of the OpenSSL protocol which was available on the Internet at the time.

Many of Lenovo’s and Dell’s firmware packages still use an older version (0.9.8l), which was released on November 5, 2009, and is now over a decade old. 

Similarly, HP’s firmware code depended on a 10-year-old version of the library (0.9.8w), and not only that even the same was still used by many other manufacturers as well.

The binary code analysis field is one of the most complex in the world, and there is no easy solution. For supply chain security solutions based on SBOM to succeed in today’s world, the industry needs to change its mindset and begin to think about them differently.

Whenever it comes to the third-party code that is encapsulated in the code of the application, the list of dependencies is constantly failing. When dealing with SBOM failures, a ‘trust-but-verify’ approach is the best way to reduce supply chain risks and the likelihood of SBOM failures.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

RansomHub Ransomware Deploys Malware to Breach Corporate Networks

The eSentire’s Threat Response Unit (TRU) in early March 2025, a sophisticated cyberattack leveraging...

19 APT Hackers Target Asia-based Company Servers Using Exploited Vulnerabilities and Spear Phishing Email

The NSFOCUS Fuying Laboratory’s global threat hunting system identified 19 sophisticated Advanced Persistent Threat...

FBI Reports ₹1.38 Lakh Crore Loss in 2024, a 33% Surge from 2023

The FBI’s Internet Crime Complaint Center (IC3) has reported a record-breaking loss of $16.6...

Fog Ransomware Reveals Active Directory Exploitation Tools and Scripts

Cybersecurity researchers from The DFIR Report’s Threat Intel Group uncovered an open directory hosted...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Fortinet Confirms Data Breach Following Hacker’s Claim of 440GB Data Theft

Fortinet, a leading cybersecurity firm, has confirmed a data breach involving a third-party cloud...

Amtrak Data Breach: Hackers Accessed User’s Email Address

Amtrak notified its customers regarding a significant security breach involving its Amtrak Guest Rewards...

SPECTR Malware Attacking Defense Forces of Ukraine With a batch script

The government computer emergency response team of Ukraine, CERT-UA, in direct cooperation with the...