There were 23 CVEs that were published that are part of the InsydeH2O UEFI firmware:
https://www.bleepingcomputer.com/news/security/uefi-firmware-vulnerabilities-affect-at-least-25-computer-vendors/
I saw that the DEC appliances sold by Deciso use that firmware:
https://www.insyde.com/press_news/press-releases/insyde%C2%AE-software-powers-opnsense%C2%AE-network-appliance-leveraging-amd-epyc%E2%84%A2
Is there anywhere to download the security updates for these devices?
Have you run a test to see if you are vulnerable on Opnsense 22 using the below link as provided by your link?
https://github.com/binarly-io/FwHunt/tree/main/rules
Oh! This stuff is fresh off the press... :D
Well, this is news to us too so we asked Insyde what this is all about. I'll report back as soon as we know.
Cheers,
Franco
Quote from: franco on February 03, 2022, 09:15:05 AM
Well, this is news to us too so we asked Insyde what this is all about. I'll report back as soon as we know.
Cheers,
Franco
Did Insyde get back to you guys?
I have not been able to figure out how to open a case for the DEC850 about this... nice!
We just received a firmware update from Insyde, check our docs for details https://docs.opnsense.org/hardware/bios.html
it Failed!
Insyde H2OFFT (Flash Firmware Tool) Version (SEG) 200.00.00.10
Copyright (C) 2020 Insyde Software Corp. All Rights Reserved.
Loading New BIOS Image File: ....Done
Current BIOS Model Name: NetBoard-A20
New BIOS Model Name: NetBoard-A20
Current BIOS Version: 05.22.01.0011.0008
New BIOS Version: 05.22.01.0011.0009
Updating Block at FF357000h
0% 25% 50% 75% 100%
**********++++++++++++++++++++++++++++++++++++++++ 20%
SMI_WriteRom (Verify failed)SMI_WriteRom (Verify failed)SMI_WriteRom (Verify fai
led)Error: Update BIOS Failed!
Now I have a DEAD DEC850!!! :'( :'( :'( :'( :'( :'( :'(
Doesn't it boot at all anymore? or are you still receiving some serial output? If it's the latter I can ask Monday at the office if there's anything else worth trying before returning the unit, without any output, best contact support for an RMA form and return the unit for repair.
Best regards,
Ad
It does not boot at all. :'( nothing at all from the console :'(
what's the best way to contact them?
Just drop us an email (sales@opnsense.com) with the serial number of the device included, my colleague should answer you Monday with a repair form so you can return it for repair under warranty.
Better offer an advance replacement if you want to keep a happy customer. Just sayin ...
Ouch. Has anyone at Deciso successfully updated the BIOS on the DEC850 using the linux image provided? Since I have a DEC850, I'm wondering if this is a problem with the provided BIOS updater. I don't want to take the chance updating my DEC850 until confirmation where is no issue with the update.
Another question: I think that the DEC700 series uses Insyde as well - however the BIOS page does not say that the BIOS update is applicable.
So will there be an update for those devices as well?
Just for the clarification, I used the Windows version of the file and validated the checksum as well. :`(
Might be caused by a broken usb stick or a malfunction of the flash chip. To be very sure it's not an issue with the instructions or the binaries I went to the office yesterday and tested both procedures myself on the same device type, which didn't cause any issues.
Whatever the cause of the issue is, the devices do come with warranty, so just contact our office and let my colleagues handle it as suggested.
Best regards,
Ad
@meyergru
Another question: I think that the DEC700 series uses Insyde as well - however the BIOS page does not say that the BIOS update is applicable.
So will there be an update for those devices as well?
I think there's an update underway for the 700 series as well, I'm not sure if the same CVE's apply to be honest.
Quote from: gfeiner on March 05, 2022, 08:53:34 PM
Ouch. Has anyone at Deciso successfully updated the BIOS on the DEC850 using the linux image provided? Since I have a DEC850, I'm wondering if this is a problem with the provided BIOS updater. I don't want to take the chance updating my DEC850 until confirmation where is no issue with the update.
Yes, I did yesterday, but I'm quite sure my colleagues tested the image as well before handing over the windows installer and dd image.
I'm personally always a bit cautious with bios updates after similar trauma in the 90's wrecking a mainboard after an unsuccessful flash. There's always some risk involved unfortunately (power failure during the operation being one of the most famous issues), without firmware there's nothing to recover too and to program the flash chip externally, you need specialised equipment.
Quote from: AdSchellevis on March 06, 2022, 11:19:25 AM
Might be caused by a broken usb stick or a malfunction of the flash chip. To be very sure it's not an issue with the instructions or the binaries I went to the office yesterday and tested both procedures myself on the same device type, which didn't cause any issues.
Whatever the cause of the issue is, the devices do come with warranty, so just contact our office and let my colleagues handle it as suggested.
Best regards,
Ad
Now, wouldn't have been nice to run a verify after the extraction on to the usb to validate the files.
I don't think Insyde's tool offers additional validations, we also don't know if that would have prevented your issue, I'm sure my colleagues will check your device when it comes in and improve the procedure if needed.
Best regards,
Ad
FYI. I successfully updated the BIOS on my DEC850. I used the linux image and extracted it to a USB key using a Mac. After updating the BIOS and then powering off the unit and then back on, the BIOS setup reported version 9.
@AdSchellevis
Is there some sort of notification list we can sign up for to be notified of important BIOS updates like this? If I hadn't spotted this thread on the forum, I never would have known of the update.
@gfeiner We plan to keep the updates and documentation on the OPNsense docs (https://docs.opnsense.org/hardware/bios.html), previously we published them on our Deciso website, but the website is under construction. Other notification types aren't planned, without (shell) access to the firewall most CVE's likely won't apply anyway, but I haven't read all the details to be very honest.