InsydeH20 UEFI vulnerabilities

On February 1st, 2022, CERT-CC, Insyde Inc., and Binarly Inc. collectively disclosed a set of vulnerabilities affecting InsydeH2O Hardware-2-Operating System (H2O) UEFI Bios. They affect any product using UEFI Bios based on InsydeH2O, including some BullSequana products. Atos is liaising closely with its suppliers and investigating the exact nature of these vulnerabilities to provide validated remediation.

Notice: This document will continue to be updated as additional information becomes available and is subject to change without notice.

A number of Atos HPC products are affected by these vulnerabilities. Atos is working to distribute updates for the current products

Links for Technical Details:

https://www.insyde.com/security-pledge
https://kb.cert.org/vuls/id/796611

Recommendations: Update system firmwares to the latest version for your product as soon as they are made available

The following table provides the current state:

Product line	Platforms	Motherboards	Processors	Status	Fixed version
BullSequana X400		-	Intel/AMD	Not affected

BullSequana X800		CPB	Intel	Affected	TS54.01
Atos QLM		CPB	Intel	Affected	TS54.01

BullSequana X1000
	BullSequana X1110	CBD	Intel Broadwell	No investigation	EOL
	BullSequana X1120	CSL	Intel Skylake Intel CascadeLake	Affected
	BullSequana X1125	CSL	Intel Skylake Intel CascadeLake	Affected
	BullSequana X1210	CKL	Intel Knights Landing	No investigation	EOL
	BullSequana X1310	CVN	ARM ThunderX2	Not Affected

BullSequana XH2000
	BullSequana X1120	CSL	Intel Skylake Intel CascadeLake	Affected
	BullSequana X1125	CSL	Intel Skylake Intel CascadeLake	Affected
	BullSequana X2410	CERM	AMD Rome AMD Milan	Not affected
	BullSequana X2415	CRRM/CRRM+	AMD Rome AMD Milan	Not affected

Older systems may be investigated on demand.