Researchers discovered that devices from Dell, HP, and Lenovo are inactive utilizing outdated versions of the OpenSSL cryptographic library.
Binarly researchers discovered that devices from Dell, HP, and Lenovo are inactive utilizing outdated versions of the OpenSSL cryptographic library.
The OpenSSL software room allows unafraid communications implicit machine networks against eavesdropping oregon request to place the enactment astatine the different end. OpenSSL contains an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.
The researchers discovered the contented by analyzing firmware images utilized devices from the supra manufacturers.
The experts analyzed 1 of the halfway frameworks EDKII utilized arsenic a portion of immoderate UEFI firmware which has its ain submodule and wrapper implicit the OpenSSL room (OpensslLib) successful the CryptoPkg component.
EDK II is a modern, feature-rich, cross-platform firmware improvement situation for the UEFI and UEFI Platform Initialization (PI) specifications.
The main EDKII repository is hosted connected Github and is often updated.
The experts archetypal analyzed Lenovo Thinkpad endeavor devices and discovered that they utilized antithetic versions of OpenSSL successful the firmware image.
Lenovo Thinkpad endeavor devices utilized 3 antithetic versions of OpenSSL: 0.9.8zb, 1.0.0a, and 1.0.2j. The astir caller OpenSSL mentation was released successful 2018.
“Many of the security-related firmware modules incorporate importantly outdated versions of OpenSSL. Some of them similar InfineonTpmUpdateDxe incorporate codification known to beryllium susceptible for astatine slightest 8 (8) years.” reads the report published by Binarly. “The InfineonTpmUpdateDxe module is liable for updating the firmware of Trusted Platform Module (TPM) connected the Infineon chip. This intelligibly indicates the proviso concatenation occupation with third-party dependencies erstwhile it looks similar these dependencies ne'er received an update, adjacent for captious information issues.”
One of the firmware modules named InfineonTpmUpdateDxe uses the OpenSSL mentation 0.9.8zb that was released connected August 4, 2014.
The researchers discovered that astir caller OpenSSL mentation is utilized by connected Lenovo endeavor devices and dates backmost to the summertime of 2021.
The pursuing representation reports for each vendor each the versions of OpenSSL detected by the Binarly Platform successful the wild:
The experts pointed retired that the aforesaid instrumentality firmware codification often trust connected antithetic versions of OpenSSL.
The crushed for this plan prime is that the proviso concatenation of third-party codification depends connected their ain codification base, which is often not disposable to instrumentality firmware developers. The researchers explained that this introduces an other furniture of proviso concatenation complexity.
“Most of the OpenSSL dependencies are linked statically arsenic libraries to circumstantial firmware modules that make compile-time dependencies which are hard to place without heavy codification investigation capabilities.” continues the report. “Historically the occupation wrong third-party codification dependencies is not an casual contented to lick astatine the compiled codification level.”
The experts noticed that devices from Dell and Lenovo relied connected mentation 0.9.8l that dates backmost to 2009.
Some Lenovo devices utilized the mentation 1.0.0a that dates backmost 2010, portion the 3 vendors (Lenovo, Dell, HP) were observed utilizing mentation 0.9.8w that dates backmost 2012.
“We spot an urgent request for an other furniture of SBOM Validation erstwhile it comes to compiled codification to validate connected the binary level, the database of third-party dependency accusation that matches the existent SBOM provided by the vendor,” concludes the report. “A ‘trust-but-verify’ attack is the champion mode to woody with SBOM failures and trim proviso concatenation risks.”
Follow maine connected Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, firmware)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24020034/226270_iPHONE_14_PHO_akrales_0595.jpg)
English (US)