Impact of Spectre and Meltdown on pfSense?
-
I am considering updating my hardware in preparation for the requirement for AES-NI, but it did occur to me that pretty much any of the existing hardware is vulnerable to Spectre and Meltdown.
Given that pfSense doesn't run "arbitrary code" like the JavaScript that might be run by a web browser, is this a significant concern?
Has upstream FreeBSD managed to significantly mitigate these threats (assuming they are an issue)?
-
https://www.netgate.com/blog/an-update-on-meltdown-and-spectre.html
-Rico
-
@rico said in Impact of Spectre and Meltdown on pfSense?:
https://www.netgate.com/blog/an-update-on-meltdown-and-spectre.html
-Rico
Thanks @Rico for the link - read though it, but I'm not clear about the current status. The page is dated January 2018, and it refers to pfSense 2.4.3 / 2.4.x as targets for mitigation - there is however no update as to whether version 1,2 and 3 have been mitigated now that we are at 2.4.4 Release p1/p2.
Can anyone provide an update, and if it is complete adding a oneline TL;DR to the page referenced above would be extremely helpful. i.e.:
Update yyy/mm/dd:
As of 2.x.x - Variants 1,2,3 have been mitigated.
or
other status if required.Since any new hardware would be at least the current version that we have today, it appears that this should be a total non-issue (The only way I would ever allow any type of management over the internet would be via OpenVPN with very strong keys.) - or am I missing something.
Thanks in advance for any info/insight.
-
I would argue that the impact of those attacks on pfSense is minimal if you are running on dedicated hardware anyway.
However it would allow, for example, a low impact exploit to escalate to a much higher level if discovered at some point in the future.
Steve
-
@stephenw10 said in Impact of Spectre and Meltdown on pfSense?:
I would argue that the impact of those attacks on pfSense is minimal if you are running on dedicated hardware anyway.
However it would allow, for example, a low impact exploit to escalate to a much higher level if discovered at some point in the future.
Steve
Thanks for the response @stephenw10 - That was what I was thinking as well since a dedicated pfSense box should not be running arbitrary code like a workstation does.
For someone who is very familiar with pfSense/BSD Development:
I read the reference given below and it is unclear as to if the mitigation at the O/S level is complete. As of 2.4.4.1/2 is spectre/meltdown mitigation considered complete? -
@guardian said in Impact of Spectre and Meltdown on pfSense?:
Has upstream FreeBSD managed to significantly mitigate these threats (assuming they are an issue)?
Does this help? It lists the mitigation patches into FreeBSD stable/11. https://wiki.freebsd.org/SpeculativeExecutionVulnerabilities
-
@bigsy said in Impact of Spectre and Meltdown on pfSense?:
@guardian said in Impact of Spectre and Meltdown on pfSense?:
Has upstream FreeBSD managed to significantly mitigate these threats (assuming they are an issue)?
Does this help? It lists the mitigation patches into FreeBSD stable/11. https://wiki.freebsd.org/SpeculativeExecutionVulnerabilities
Thanks for the reference @bigsy - That's a step closer, so I hope that you or someone else can help me get the rest of the way:
If I understand this correctly variant 1 and 3a are still vulnerable, and there are mitigations for the others.
I don't understand what Head means in this context. Does this refer to unreleased FreeBSD11, Development FreeBSD12 or something else? More importantly:
-
Am I correct in assuming that the patches for Stable 11 are currently in pfsense now?
-
When are the patches under HEAD likely to be included (or are they now)?
-
Are variants 1 and 3a expected to be fixed sometime, or are they not fixable?
-
-
You would expect code in HEAD to be in the next release. That page was last updated in August though.
FreeBSD 11.2 that pfSense 2.4.4 is built on includes those patches:
https://www.freebsd.org/security/advisories/FreeBSD-SA-18:03.speculative_execution.ascSteve
