An analysis of firmware images across devices from Dell, HP, and Lenovo has revealed the presence of outdated versions of the OpenSSL cryptographic library, underscoring a supply chain risk.
The Unified Extensible Firmware Interface (UEFI), also known as EFI Development Kit or EDK, is an open-source implementation that serves as an interface between the operating system and firmware that is built into the hardware of a device. The second iteration of the firmware development environment (EDK II) includes a cryptographic package called CryptoPkg that draws on resources from the OpenSSL project.
Three different OpenSSL versions, the most recent of which was released in 2018, were discovered to be used in the firmware image associated with Lenovo Thinkpad enterprise devices, according to firmware security firm Binarly. These versions are 0.9.8zb, 1.0.0a, and 1.0.2j.