Security Updates for INSYDE-SA-2024015

Question

Security Updates for INSYDE-SA-2024015

Closed this issue 4 months ago · 5 comments

Klaas- commented 7 months ago

Device Information

Framework 13 12th Gen

System Model or SKU

FRANDACP08

Please select one of the following

Framework Laptop 13 (11th Gen Intel® Core™)
Framework Laptop 13 (12th Gen Intel® Core™)
Framework Laptop 13 (13th Gen Intel® Core™)
Framework Laptop 13 (AMD Ryzen™ 7040 Series)
Framework Laptop 13 (Intel® Core™ Ultra Series 1)
Framework Laptop 16 (AMD Ryzen™ 7040 Series)

BIOS VERSION

03.09

Describe the bug

Your bios vendor has released security updates on 2025-04-08, I would like to know when this is being incorporated into frameworks Bioses. Dell for example has classified this as a high severity issue and has released updates for all their affected laptops in the last couple of days: https://www.dell.com/support/kbdoc/en-us/000285110/dsa-2025-091

Expected behavior

A clear and concise description of what you expected to happen.

Screenshots

If applicable, add screenshots to help explain your problem.

Operating System (please complete the following information):

OS/Distribution: [e.g. Windows 11]
Version: [Version]
Linux Kernel Version: uname -a

Additional context

Add any other context about the problem here.

Answer 1 · 2025-04-17T03:26:43.000Z

Thanks for information. We will start to plan this fixed, then update the schedule.

Answer 2 · 2025-04-22T09:15:58.000Z

We plan to fix INSYDE-SA-2024015 for 12th gen in the next release.
Target release date is around mid-May.

Answer 3 · 2025-04-23T03:38:49.000Z

INSYDE-SA-2024021 is CVE-2024-7344
This is not a vulnerability in Insyde BIOS, it's a third party application that's signed by the Microsoft UEFI keys.
Because we include the Microsoft public keys to be able to boot Windows, we are vulnerable to that.

The mitigation is simple, in future updates we will include dbx entries to blacklist this third party application.

But before that, it's also really easy to mitigate:

For Windows users the 2025 January 14 Update includes a DBX Update
For Linux users DBX can be updated using LVFS and an updated one is already available: https://fwupd.org/lvfs/devices/com.microsoft.dbx.x64.firmware

I split it out into here: #66

Answer 4 · 2025-05-28T03:36:51.000Z

We have released Framework Laptop 13 (12th Gen Intel® Core™) BIOS 3.17 beta 2 weeks ago in community. We will move it to stable and release on website this week.

Answer 5 · 2025-07-04T02:28:38.000Z

BIOS 3.17 is moved to stable and available on website.