Old OpenSSL Versions Found on Devices from Dell, HP, and Lenovo


An analysis of firmware images across devices from Dell, HP, and Lenovo has revealed the presence of outdated versions of the OpenSSL cryptographic library, underscoring a supply chain risk.

The Unified Extensible Firmware Interface (UEFI), also known as EFI Development Kit or EDK, is an open-source implementation that serves as an interface between the operating system and firmware that is built into the hardware of a device. The second iteration of the firmware development environment (EDK II) includes a cryptographic package called CryptoPkg that draws on resources from the OpenSSL project.

Also Read: Strengthening Enterprise Cybersecurity to Combat Rising Cyber Attacks

Three different OpenSSL versions, the most recent of which was released in 2018, were discovered to be used in the firmware image associated with Lenovo Thinkpad enterprise devices, according to firmware security firm Binarly. These versions are 0.9.8zb, 1.0.0a, and 1.0.2j.

Read More: Dell, HP, and Lenovo Devices Found Using Outdated OpenSSL Versions

For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.