Opnsense / Deciso DEC firmware updates for CVEs?

[os914964619]

There were 23 CVEs that were published that are part of the InsydeH2O UEFI firmware:

https://www.bleepingcomputer.com/news/security/uefi-firmware-vulnerabilities-affect-at-least-25-computer-vendors/

I saw that the DEC appliances sold by Deciso use that firmware:

https://www.insyde.com/press_news/press-releases/insyde%C2%AE-software-powers-opnsense%C2%AE-network-appliance-leveraging-amd-epyc%E2%84%A2

Is there anywhere to download the security updates for these devices?

[lilsense]

Have you run a test to see if you are vulnerable on Opnsense 22 using the below link as provided by your link?

https://github.com/binarly-io/FwHunt/tree/main/rules

Oh! This stuff is fresh off the press... :D

[franco]

Well, this is news to us too so we asked Insyde what this is all about. I'll report back as soon as we know.


Cheers,
Franco

[os914964619]

Well, this is news to us too so we asked Insyde what this is all about. I'll report back as soon as we know.


Cheers,
Franco

Did Insyde get back to you guys?

[lilsense]

I have not been able to figure out how to open a case for the DEC850 about this... nice!

[AdSchellevis]

We just received a firmware update from Insyde, check our docs for details https://docs.opnsense.org/hardware/bios.html

[lilsense]

it Failed!

Code Select Expand





          Insyde H2OFFT (Flash Firmware Tool) Version (SEG) 200.00.00.10
         Copyright (C) 2020 Insyde Software Corp. All Rights Reserved.


                           Loading New BIOS Image File: ....Done

                  Current BIOS Model Name: NetBoard-A20
                  New     BIOS Model Name: NetBoard-A20
                  Current BIOS Version: 05.22.01.0011.0008
                  New     BIOS Version: 05.22.01.0011.0009


                        Updating Block at FF357000h       
          0%          25%         50%          75%         100%
           **********++++++++++++++++++++++++++++++++++++++++      20%
SMI_WriteRom (Verify failed)SMI_WriteRom (Verify failed)SMI_WriteRom (Verify fai
led)Error: Update BIOS Failed!


[lilsense]

Now I have a DEAD DEC850!!! :'( :'( :'( :'( :'( :'( :'(

[AdSchellevis]

Doesn't it boot at all anymore? or are you still receiving some serial output? If it's the latter I can ask Monday at the office if there's anything else worth trying before returning the unit, without any output, best contact support for an RMA form and return the unit for repair.

Best regards,

Ad

[lilsense]

It does not boot at all. :'( nothing at all from the console :'(

what's the best way to contact them?

[AdSchellevis]

Just drop us an email (sales@opnsense.com) with the serial number of the device included, my colleague should answer you Monday with a repair form so you can return it for repair under warranty.

[Patrick M. Hausen]

Better offer an advance replacement if you want to keep a happy customer. Just sayin ...

[gfeiner]

Ouch. Has anyone at Deciso successfully updated the BIOS on the DEC850 using the linux image provided?  Since I have a DEC850, I'm wondering if this is a problem with the provided BIOS updater.  I don't want to take the chance updating my DEC850 until confirmation where is no issue with the update.

[meyergru]

Another question: I think that the DEC700 series uses Insyde as well - however the BIOS page does not say that the BIOS update is applicable.

So will there be an update for those devices as well?

[lilsense]

Just for the clarification, I used the Windows version of the file and validated the checksum as well. :`(