Hi there,
proud owner of 11th gen intel version, but at the same time very disappointed information security expert. If not angry. And would like to give my machine back.
Since September 2023 I am waiting for a Firmware Update which addresses nothing less than 2 medium and 2 high ranked security issues with the BIOS. https://knowledgebase.frame.work/en_us/framework-laptop-bios-releases-S1dMQt6F
That page mentions the EFI Shell update within short. But what is short in the aspect of such high rated security issues?
Is that a fair move to keep users in suspense for such a long time?
Donât make promises you are not going to keep.
And it minds me something: The charging implementation on my 11th gen intel is still not working properly. When setting the charge limit to 80%, the USB connection is reset every two minutes resulting in a loss of external mouse, keyboard and screen connection. What the heck! No wonder it never passed the Thundebolt announced certification.
Can I get an exchange mainboard that works as announced please?
Framework, you do a great job and you deserve all the respect, but donât gamble with your community by just dropping support for your (not even yet) legacy!
And donât play with security, you are compromising far too much!
Are you using Linux? The disconnect is provoked by the change in charging current, and there is a well-known workaround that I am using too, with a little script.
Also, you are probably aware that they are precisely currently tackling this problem of firmware updates frequency? With a growth in their team and all. So Iâd say you could just wait a bit more and see what happens.
Hi Mapleleaf,
thank you for your reply. Yes I am on Linux and I am aware of workarounds - with mixed results.
** Please donât get me wrong, the work of framework is outstanding **
Still the situation is that
1a) Framework seeks for people (especially BIOS engineering) since very long
1b) For the 11th gen intel BIOS, framework has shown they are able to provide a EFI shell update method and still for the latest BIOS version addressing two high risk vulnerabilities and two medium ones, they are not available since May 2023. That is a year soon! Is that a way to address security?
2) The disconnect issue for this USB-C connector that was announced as something âTechnically TB4, but not sure if we get it sertifiedâ exists since the device is on the market. My support request for this goes back to September 2022. If they did not solve it until now, they never will! Thatâs why I am asking if I can get it replaced with something that gets support?
How would you rate the framework support?
How do they deal with âdesign issuesâ?
Framework has notoriously bad bios support. If you care about security, itâs probably best to buy something from a reputable vendor like lenovo until Frameworkâs firmware team is more mature.
2021 is 3 years ago (2 and a half years since December if you wanna spit hairs), and OP is correct that there have been several vulnerabilities discovered since then.
Is that what you have and why you are complaining
I have a 12th gen but Iâm not the one complaining here, OP is. I was just suggesting he find a vendor with a better bios support track record if he wants vulns to be patched quickly.
what security issues
I donât know what your threat model is, but arbitrary code execution is a valid cause for concern for me: NVD - CVE-2022-35407
Thanks for the link. Is that the Dec 2022 worry you have?
So if itâs an ongoing issue Framework either canât put pressure on Insyde to fix it or it has been fixed and Framework have decided not to offer it.
I would imagine itâs more likely the first.
Whereas I have no security concerns, you have got me interested.
How likely is it to be exploited and
what threat does it present in the user world?
There are many dangers in the world, and they are increasing. My idea is to try and develop a lifestyle that isnât so vulnerable rather than rely on others to fix the vulnerabilities they present or expect them to change.
Thanks again
So I wonder how someone is going to mess with my EFi and
what they can do to undermine my security.
Maybe âtheyâ have decided that although there is a vulnerability, as there is to the entry to every house, is it much of a problem when the house the user lives in is even more vulnerable.
Iâm not going to go thru all the CVEâs, but there was one where any attack where access to the EFI partition was necessary. That means it is a physical attack or some sort of root exploit that allows writing to that partition. So, essentially, you already have to be compromised for this to be effective.
Weâve released an alpha version of a new EFI updater design today for 12th Gen, which is a rewrite to resolve the issues that weâve seen around the previous updater handling different firmware areas on Intel platforms. Once weâre able to vet out this new updater type, weâll be able to bring it to 11th Gen as well and continue to use it for further updates more easily in the future.
Think about how many things you run with elevated privileges. Even carefully vetting every application you run with root or root-like privileges, itâs not uncommon for trusted applications to fall victim to supply chain attacks. Privilege escalation bugs are also unfortunately common and can be used to exploit bios vulns just like these.
Malicious applications (or malicious libraries used by trusted applications, or malicious plugins in trusted applications) love vulnerabilities like these because by getting into the bios they can do whatever they want before the OS even loads. They can encrypt your data and ask for a ransom, they can put a malicous payload on your harddrive to install telemetry, etc. all while evading OS-level security.
It can affect dual-boot users as well. Maybe you play pirated games on one partition and do sensitive work on another partition thinking youâre safe, but vulns in firmware like this can totally blow your strategy.
So while itâs true that vulns like this require for something on your device to already be compromised, the chances are pretty high that something else on your device IS compromised. Firmware security is often all about defense-in-depth, yes, but there are really really good reasons to have defense-in-depth nowadays.
That is an interesting attack vector. Havenât run Windows since the 90âs, but I thought they had the âAdministratorâ. Would a game need root-equivalent privileges to install?
If youâre already compromised, the BIOS vulnerability doesnât make it any worse was my point. If someone has a privilege escalation, youâre toast. The attacker could also write to the firmware of the harddrive which would be an even worse persistent threat. If someone has physical access, youâre toast also.
IMO, including firmware in defense in depth is like saying
the front-door was unlocked (physical access)
and we put the keys to the safe next to the safe (privilege escalation)
but the robber had to wait 30 min because of the time-delay on the safe to open.
It is technically correct, which is the best type of correct on the internet, but I just donât think it meaningfully improves most threat-models.
Havenât run Windows since the 90âs, but I thought they had the âAdministratorâ
Good point, I am also not very familiar with how Windows does it nowadays. I dual-boot linux distros (not for piracy though I promise, I buy my games ).
If someone has a privilege escalation, youâre toast.
This is not quite true. Linux security is not as simple as root vs non-root. Many exploits can escalate permission just far enough to enable read or write to a single folder for example, or to execute a single program or group of programs. Privilege escalation doesnât always mean escalation to root, it often just means escalating far enough to deliver your payload or to exploit a deeper vuln (like a firmware vuln). This is why things like bubblewrap, firejail, apparmor, and se-linux exist â they allow you to tighten your grip on applications with more granularity than the simple root vs non-root perms do without having to create a new user per application.
Firmware vulnerabilities like these can make relatively minor OS or application vulnerabilities into pretty major ones, which is why most laptop companies are so quick to patch them.
I think weâre mostly on the same page though We agree defense-in-depth is good, and just disagree on the importance to the average user.
Completely off-topic at this point, but I was actually curious about this. From man capabilities, a list of a few that could do it:
CAP_SYS_MODULE - load kernel modules
CAP_SYS_RAWIO - raw reads/writes
CAP_CHOWN - get access to the raw device
CAP_DAC_OVERRIDE - bypass permission checks
CAP_FOWNER
CAP_SYS_ADMIN
CAP_SYS_BOOT - kexec-load
âŚMaybe others?
I canât think of a single binary that is using the above capabilities AND running as non-root. So it certainly is a possibility, but for me, the most dangerous binaries remain the webbrowsers.
The worry is that framework is unable to provide a consistent way to get the firmware fixed in time. We are talking about a previously working EFI method, that is not available for a firmware fix that was ready A YEAR AGO!
Yes I do know what you mean but we are not dealing with a hardware or software issue but how people are being, albeit a business in this case.
The purchase of this laptop is very much a lifestyle choice as was and is itâs creation and development.
"But this is a discussion around facts, not your idea of a lifestyle.
Or is the question about wanting an update and pointing to the people at Framework or is it something tangible.
I understand the argument but not quite who it is directed at. If it was to be directed at the Framework people then why make the issue public? The facts are that the issue is public maybe and whom this worry is directed at ~ the forum is exactly that a personal i.e. lifestyle choice.
So I donât disagree with any facts as portrayed I was just querying the depth of concern.
Iâd better leave this topic now and mute it, but thanks for the responses and I hope those that worry are really OK
).
We agree defense-in-depth is good, and just disagree on the importance to the average user.
