Opnsense / Deciso DEC firmware updates for CVEs?

Started by os914964619, February 03, 2022, 12:30:03 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
March 06, 2022, 11:19:25 AM #15
Might be caused by a broken usb stick or a malfunction of the flash chip. To be very sure it's not an issue with the instructions or the binaries I went to the office yesterday and tested both procedures myself on the same device type, which didn't cause any issues.

Whatever the cause of the issue is, the devices do come with warranty, so just contact our office and let my colleagues handle it as suggested.

Best regards,

Ad
March 06, 2022, 11:23:54 AM #16
@meyergru
Code Select

Another question: I think that the DEC700 series uses Insyde as well - however the BIOS page does not say that the BIOS update is applicable.

So will there be an update for those devices as well?


I think there's an update underway for the 700 series as well, I'm not sure if the same CVE's apply to be honest.
March 06, 2022, 01:17:39 PM #17
Quote from: gfeiner on March 05, 2022, 08:53:34 PM
Ouch. Has anyone at Deciso successfully updated the BIOS on the DEC850 using the linux image provided?  Since I have a DEC850, I'm wondering if this is a problem with the provided BIOS updater.  I don't want to take the chance updating my DEC850 until confirmation where is no issue with the update.

Yes, I did yesterday,  but I'm quite sure my colleagues tested the image as well before handing over the windows installer and dd image.

I'm personally always a bit cautious with bios updates after similar trauma in the 90's wrecking a mainboard after an unsuccessful flash. There's always some risk involved unfortunately (power failure during the operation being one of the most famous issues), without firmware there's nothing to recover too and to program the flash chip externally, you need specialised equipment.

March 06, 2022, 01:50:51 PM #18
Quote from: AdSchellevis on March 06, 2022, 11:19:25 AM
Might be caused by a broken usb stick or a malfunction of the flash chip. To be very sure it's not an issue with the instructions or the binaries I went to the office yesterday and tested both procedures myself on the same device type, which didn't cause any issues.

Whatever the cause of the issue is, the devices do come with warranty, so just contact our office and let my colleagues handle it as suggested.

Best regards,

Ad

Now, wouldn't have been nice to run a verify after the extraction on to the usb to validate the files.
March 06, 2022, 02:18:19 PM #19
I don't think Insyde's tool offers additional validations, we also don't know if that would have prevented your issue, I'm sure my colleagues will check your device when it comes in and improve the procedure if needed.

Best regards,

Ad
March 08, 2022, 04:03:50 AM #20
FYI.  I successfully updated the BIOS on my DEC850.  I used the linux image and extracted it to a USB key using a Mac.  After updating the BIOS and then powering off the unit and then back on, the BIOS setup reported version 9.
@AdSchellevis
Is there some sort of notification list we can sign up for to be notified of important BIOS updates like this?  If I hadn't spotted this thread on the forum, I never would have known of the update.
March 08, 2022, 08:38:23 AM #21
@gfeiner We plan to keep the updates and documentation on the OPNsense docs (https://docs.opnsense.org/hardware/bios.html), previously we published them on our Deciso website, but the website is under construction. Other notification types aren't planned, without (shell) access to the firewall most CVE's likely won't apply anyway, but I haven't read all the details to be very honest.
Print
Go Up Pages 1 2
User actions