Skip to content

Security Updates for INSYDE-SA-2024015 #63

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 of 6 tasks
Klaas- opened this issue Apr 16, 2025 · 3 comments
Open
1 of 6 tasks

Security Updates for INSYDE-SA-2024015 #63

Klaas- opened this issue Apr 16, 2025 · 3 comments
Assignees
@quinchou77

Comments

@Klaas-
Copy link

Klaas- commented Apr 16, 2025

Device Information

Framework 13 12th Gen

System Model or SKU

FRANDACP08

Please select one of the following

  • Framework Laptop 13 (11th Gen Intel® Core™)
  • Framework Laptop 13 (12th Gen Intel® Core™)
  • Framework Laptop 13 (13th Gen Intel® Core™)
  • Framework Laptop 13 (AMD Ryzen™ 7040 Series)
  • Framework Laptop 13 (Intel® Core™ Ultra Series 1)
  • Framework Laptop 16 (AMD Ryzen™ 7040 Series)

BIOS VERSION

03.09

Describe the bug

Your bios vendor has released security updates on 2025-04-08, I would like to know when this is being incorporated into frameworks Bioses. Dell for example has classified this as a high severity issue and has released updates for all their affected laptops in the last couple of days: https://www.dell.com/support/kbdoc/en-us/000285110/dsa-2025-091

Expected behavior

A clear and concise description of what you expected to happen.

Screenshots

If applicable, add screenshots to help explain your problem.

Operating System (please complete the following information):

  • OS/Distribution: [e.g. Windows 11]
  • Version: [Version]
  • Linux Kernel Version: uname -a

Additional context

Add any other context about the problem here.
@quinchou77
Copy link

Thanks for information. We will start to plan this fixed, then update the schedule.

@quinchou77 quinchou77 self-assigned this Apr 17, 2025
@quinchou77
Copy link

quinchou77 commented Apr 22, 2025
edited
Loading

We plan to fix INSYDE-SA-2024015 for 12th gen in the next release.
Target release date is around mid-May.

@JohnAZoidberg
Copy link
Member

JohnAZoidberg commented Apr 23, 2025
edited
Loading

INSYDE-SA-2024021 is CVE-2024-7344
This is not a vulnerability in Insyde BIOS, it's a third party application that's signed by the Microsoft UEFI keys.
Because we include the Microsoft public keys to be able to boot Windows, we are vulnerable to that.

The mitigation is simple, in future updates we will include dbx entries to blacklist this third party application.

But before that, it's also really easy to mitigate:

I split it out into here: #66

@JohnAZoidberg JohnAZoidberg changed the title Security Updates for INSYDE-SA-2024015 and INSYDE-SA-2024021 Security Updates for INSYDE-SA-2024015 Apr 23, 2025
@JohnAZoidberg JohnAZoidberg mentioned this issue Apr 23, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@quinchou77 quinchou77

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Klaas- @JohnAZoidberg @quinchou77