• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Intel CPUs Massive Security Flaw issue

Scheduled Pinned Locked Moved General pfSense Questions
95 Posts 26 Posters 24.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    JKnott
    last edited by Jan 5, 2018, 3:25 AM

    I just came across this:
    http://www.pcgamer.com/intel-ceo-sold-39-million-in-company-shares-prior-to-disclosure-of-cpu-security-flaws/

    PfSense running on Qotom mini PC
    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
    UniFi AC-Lite access point

    I haven't lost my mind. It's around here...somewhere...

    1 Reply Last reply Reply Quote 0
    • R
      robi
      last edited by Jan 5, 2018, 8:34 AM

      This is not a joke anymore. Really.

      1 Reply Last reply Reply Quote 0
      • I
        ivor
        last edited by Jan 5, 2018, 10:17 AM

        @robi:

        @ivor:

        Our preliminary assessment of Meltdown and Spectre vulnerabilities suggests that most pfSense use cases without untrusted local users or a multi-tenant context should not be concerned.

        Can you please elaborate a little bit this, so we can understand what you mean? Especially the "most pfSense use cases without untrusted local users or a multi-tenant context ".
        The whole pfSense runs as root, including the web interface afaik…

        @lra:

        @ivor:

        Our preliminary assessment of Meltdown and Spectre vulnerabilities suggests that most pfSense use cases without untrusted local users or a multi-tenant context should not be concerned.

        Once the FreeBSD project issues a patched release, we will incorporate those patches, test, and release new versions of pfSense.

        Engineering question, if the Meltdown and Spectre kernel fixes reduces pfSense performance by 5% or more, is that prudent ?

        If Meltdown and Spectre require malicious code running locally, all bets are off, and there are far easier methods to extract credentials.

        Bottom line, are the Meltdown and Spectre fixes appropriate for an appliance like pfSense ?

        We will know more information once there's a fix in place so I would rather not speculate now. Once the fix is ready, it will be available in snapshots.

        Need help fast? Our support is available 24/7 https://www.netgate.com/support/

        1 Reply Last reply Reply Quote 0
        • A
          AMD_infinium05
          last edited by Jan 5, 2018, 5:28 PM

          @ivor:

          Our preliminary assessment of Meltdown and Spectre vulnerabilities suggests that most pfSense use cases without untrusted local users or a multi-tenant context should not be concerned.

          Once the FreeBSD project issues a patched release, we will incorporate those patches, test, and release new versions of pfSense.

          Could you please elaborate/simplify to understand more about this statement?

          1 Reply Last reply Reply Quote 0
          • R
            robi
            last edited by Jan 5, 2018, 11:28 PM

            https://github.com/corna/me_cleaner/issues/142

            ::)

            1 Reply Last reply Reply Quote 0
            • K
              kpa
              last edited by Jan 6, 2018, 12:04 AM

              @AMD_infinium05:

              @ivor:

              Our preliminary assessment of Meltdown and Spectre vulnerabilities suggests that most pfSense use cases without untrusted local users or a multi-tenant context should not be concerned.

              Once the FreeBSD project issues a patched release, we will incorporate those patches, test, and release new versions of pfSense.

              Could you please elaborate/simplify to understand more about this statement?

              The vulnerabilities do not affect pfSense in a usual configuration where there are no local users that could have local execution privileges for untrusted code.

              1 Reply Last reply Reply Quote 0
              • G
                Gil Rebel Alliance
                last edited by Jan 6, 2018, 12:33 AM

                A "Quantum of Solace" for me in that statement - (To coin a phrase)

                11 cheers for binary

                1 Reply Last reply Reply Quote 0
                • B
                  bfeitell
                  last edited by Jan 6, 2018, 10:41 AM

                  @ivor:

                  Our preliminary assessment of Meltdown and Spectre vulnerabilities suggests that most pfSense use cases without untrusted local users or a multi-tenant context should not be concerned.

                  Once the FreeBSD project issues a patched release, we will incorporate those patches, test, and release new versions of pfSense.

                  This makes sense for PFSense itself, but what about packages like Snort and Suricata that actively evaluate untrusted and malicious code all the time?

                  1 Reply Last reply Reply Quote 0
                  • W
                    WERTYU Banned
                    last edited by Jan 6, 2018, 11:43 AM

                    This post is deleted!
                    1 Reply Last reply Reply Quote 0
                    • L
                      lra
                      last edited by Jan 6, 2018, 3:10 PM

                      @ivor:

                      @lra:

                      @ivor:

                      Our preliminary assessment of Meltdown and Spectre vulnerabilities suggests that most pfSense use cases without untrusted local users or a multi-tenant context should not be concerned.

                      Once the FreeBSD project issues a patched release, we will incorporate those patches, test, and release new versions of pfSense.

                      Engineering question, if the Meltdown and Spectre kernel fixes reduces pfSense performance by 5% or more, is that prudent ?

                      If Meltdown and Spectre require malicious code running locally, all bets are off, and there are far easier methods to extract credentials.

                      Bottom line, are the Meltdown and Spectre fixes appropriate for an appliance like pfSense ?

                      We will know more information once there's a fix in place so I would rather not speculate now. Once the fix is ready, it will be available in snapshots.

                      For Reference …
                      DragonFlyBSD Lands Fixes For Meltdown Vulnerability
                      https://www.phoronix.com/scan.php?page=news_item&px=DragonFly-Meltdown-Fixed

                      "... system call performance is reduced, similar to Linux, when the isolation is enabled. DragonFly reports that system calls go from about 100ns to ~350ns. In typcial workloads they say you should "not lose more than 5% performance or so. System-call heavy and interrupt-heavy workloads (network, database, high-speed storage, etc) can lose a lot more performance."

                      1 Reply Last reply Reply Quote 0
                      • K
                        kpa
                        last edited by Jan 6, 2018, 3:14 PM

                        @bfeitell:

                        @ivor:

                        Our preliminary assessment of Meltdown and Spectre vulnerabilities suggests that most pfSense use cases without untrusted local users or a multi-tenant context should not be concerned.

                        Once the FreeBSD project issues a patched release, we will incorporate those patches, test, and release new versions of pfSense.

                        This makes sense for PFSense itself, but what about packages like Snort and Suricata that actively evaluate untrusted and malicious code all the time?

                        No they don't, what they do is they analyze patterns in the incoming and outgoing connections on both the IP headers and the data payload level and then make decisions based on rules if there is an active threat going on. None of their operations involve an actual execution of untrusted program code, it would be just plain crazy if such thing was allowed.

                        1 Reply Last reply Reply Quote 0
                        • B
                          bimmerdriver
                          last edited by Jan 6, 2018, 11:06 PM

                          @Chrismallia:

                          @KOM:

                          AMD's performance is so far behind that even 30% slower the Intel is still faster  and I suspect they have their own issues.

                          From what I have read, AMD's latest Threadripper CPUs are giving Intel a run for their money, and they're cheaper.  As for issues, unless you have something concrete then you can't really make that claim.  I've seen others saying the same thing on other tech forums, that this Intel bug is bad but AMD might maybe perhaps possibly have something as bad or worse.  It's pure FUD.

                          Sorry to disagree

                          Threadripper  does nearly half the work clock per cycle  of an Intel  plus they run much hotter and are less power efficient

                          Work per clock cycle is an irrelevant measurement unless you are comparing similar architectures and even then, while it may be interesting, it still doesn't really matter. The relative performance of AMD vs. Intel depends on the workload. (This applies to Ryzen vs. Core as well as Epyc vs. Xeon.)

                          Anandtech rated the ThreadRipper as the best overall workstation processor, taking both price and performance into account. Here is a reference: https://www.anandtech.com/show/11891/best-cpus-for-workstations-2017

                          1 Reply Last reply Reply Quote 0
                          • J
                            jahonix
                            last edited by Jan 7, 2018, 12:19 AM

                            @dotdash:

                            I don't see much of an attack vector on a firewall

                            What about installs on hypervisors, be it local on, say vmware, or in the cloud at azure or aws?
                            That's where the fun begins and that's where more valuable data can be sourced from than from your home with a dedicated pfSense machine, right?

                            1 Reply Last reply Reply Quote 0
                            • N
                              n3by
                              last edited by Jan 7, 2018, 11:10 AM

                              Is is possible for pfSense to load updated CPU microcode at kernel boot as in Linux / windows ?

                              1 Reply Last reply Reply Quote 0
                              • K
                                kejianshi
                                last edited by Jan 7, 2018, 3:56 PM

                                Based on what I've read, pfsense users have nothing to worry about if pfsense is installed on a physical machine or if it is installed as a VM along with other virtual appliances on hardware that you own and only you use.

                                You start having risks when you are one of many subscribers to a cloud service and you have no idea if the other subscribers are running malware that exploits these vulnerabilities.

                                I'm far more worried that for most of us, the cure will be worse than the disease.

                                1 Reply Last reply Reply Quote 0
                                • H
                                  Harvy66
                                  last edited by Jan 7, 2018, 4:58 PM

                                  @Hugovsky:

                                  If I have to trade speed for security, I choose security every time. With Intel, it used to be a win-win but, with recent news… I just don't believe it so blindly anymore. Of course AMD is not the cure to all your problems but it sure starts to seem a little better.

                                  A system with a speed of zero is perfectly secure, and perfectly useless.

                                  1 Reply Last reply Reply Quote 0
                                  • I
                                    ivor
                                    last edited by Jan 7, 2018, 6:55 PM

                                    PPP will still be somewhat slow after this gets patched. :)

                                    Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                                    1 Reply Last reply Reply Quote 0
                                    • R
                                      robi
                                      last edited by Jan 8, 2018, 8:33 PM

                                      http://www.newsweek.com/apple-iphone-chip-vulnerability-most-disturbing-security-issue-decades-771638

                                      1 Reply Last reply Reply Quote 0
                                      • J
                                        JKnott
                                        last edited by Jan 8, 2018, 10:17 PM

                                        What's more is the Intel CEO sold $24M in stock months AFTER Google advised Intel of the problem, but before it was made public.

                                        http://www.businessinsider.com/intel-ceo-krzanich-sold-shares-after-company-was-informed-of-chip-flaw-2018-1

                                        PfSense running on Qotom mini PC
                                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                        UniFi AC-Lite access point

                                        I haven't lost my mind. It's around here...somewhere...

                                        1 Reply Last reply Reply Quote 0
                                        • I
                                          ivor
                                          last edited by Jan 9, 2018, 12:23 AM

                                          https://www.netgate.com/blog/an-update-on-meltdown-and-spectre.html

                                          Need help fast? Our support is available 24/7 https://www.netgate.com/support/

                                          1 Reply Last reply Reply Quote 0
                                          35 out of 95
                                          • First post
                                            35/95
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            This community forum collects and processes your personal information.
                                            consent.not_received