MDS Mitigation: any reason that's not enabled automatically?

rcfa

Looks like this is new in 2.5, and I became only aware of it, as in the dashboard I recently discovered "MDS Mitigation: Disabled".
So I was wondering what that was, and found a new setting in the System > Advanced > Miscellaneous section.

The options there are
Default (whatever that is)
Disabled
VERW
Software
Automatic

My system had disabled, and I switched it to Automatic, now it operates in VERW mode.

Anything that speaks against putting this in Automatic mode by default, after upgrading from 2.4.x?
Any reason anyone would want to have that disabled?

KOM

Why enforce a performance penalty on everyone instead of only on those who need that functionality? If no Intel, you don't need this. If no multi-tenant environment, you probably don't need this.

johnpoz

Even if a multi-tenant.. I dont' really see how the these sorts of exploits are real concern on a "firewall"

And yeah its going to be a performance hit..

rcfa

@KOM Well, I have an intel system, and the software should be able to tell that quite easily...

@johnpoz If the exploit isn't a concern, then why even provide the option to mitigate?

I have a rather binary view on things like these: either it's a problem, then it needs to be fixed; or it's not, then there's no need for a fix.
You're telling me, it's not a problem, but here's a fix anyway... :D

johnpoz

It could be a problem if were say running 3rd party code on your firewall that is untrusted. Or allowing users to access said firewall that could exe code.

But in the vast majority of your typical firewall deployment this would not be a concern, in its present form.

You also have those people that would scream and complain that why isn't xyz implemented... Even though not actually a concern.

So you make it available, and those that "want" to implement it can - but with it being a performance hit.. I have to think that it would be the rare oddball use of pfsense that this could ever come into play as a concern.

KOM

@rcfa If you want to impose a 10-15% performance penalty on your firewall for no real reason, go ahead and apply the mitigation. I wouldn't bother.

jimp

It's not on by default because it doesn't impact most users an appliance role.

You could turn it on if you want if:

• You have other users who login to the firewall who can run arbitrary code (e.g. from shell or Diag > Command), but they already probably have access to read anything this exploit would get them
• You run something on the firewall from an untrusted third party repository or package source
• You have enabled some other situation we didn't cover that has a way to run untrusted code on the firewall.

It's there if you need it, it's there if you want it, but for most people using pfSense in its typical roles, it doesn't come into play.

rcfa

@jimp OK, thanks, that is helpful.

Seeing that many/most who are not full-time engaged in computer security issues don't have specific knowledge what implications individual, specific vulnerabilities have, a quick explanation alongside the setting might be helpful, because without knowing specifics, the standard reaction is: vulnerabilities are to be fixed, holes to be plugged, particularly in a network border security appliance.

So without the above explanation, the question as to why it's not automatically turned on arises, and why it's meaningful to have it turned off in most cases isn't addressed.

So a short text there, explaining the setting, might be helpful (when needed, performance impact, etc.)

KOM

There's Google for that. Explaining a CPU vulnerability, the mitigation and why you may or may not need it is a little more than a tooltip can handle. Personally, I don't want paragraphs of text wrapped around every option.

rcfa

@KOM said in MDS Mitigation: any reason that's not enabled automatically?:

There's Google for that. Explaining a CPU vulnerability, the mitigation and why you may or may not need it is a little more than a tooltip can handle. Personally, I don't want paragraphs of text wrapped around every option.

A system that has configuration options, should explain them, particularly if they are non-obvious. Otherwise why even bother with a user friendly web interface? Just use the CLI, then you're not bothered by any "useless fluff".

Right now, the description there is:

"Microarchitectural Data Sampling mitigation. If disabled the kernel memory can be accessed by unprivileged users on affected CPUs. This option controls which method of MDS mitigation is used, if any."

It doesn't take much to add:

"MDS will not impact system security in standard use scenarios, however mitigation will incur a 10-15% performance penalty. The option exists for non-standard system use, such as e.g. installing untrusted third party software packages. For this reason, mitigation is disabled by default."

johnpoz

You do understand pfsense is open source right - you could submit that wording if you wanted to..
https://docs.netgate.com/pfsense/en/latest/development/submitting-a-pull-request-via-github.html

KOM

A system that has configuration options, should explain them, particularly if they are non-obvious.

There's the rub: what's 'obvious'?

Otherwise why even bother with a user friendly web interface?

To enable you to get the job done quickly. I don't know why some people have this "GUI means it's easy" mindset. GUI makes it convenient but not necessarily easy. You still have to know what you're doing. The GUI gives you common options grouped together in an easy to work with interface. It's not meant to be a replacement for the manual, or to supply general knowledge about networking, computing etc.

Just use the CLI, then you're not bothered by any "useless fluff".

I know what I'm doing from a networking perspective. I don't necessarily know how to achieve what I want on FreeBSD via CLI.

rcfa

@KOM said in MDS Mitigation: any reason that's not enabled automatically?:

A system that has configuration options, should explain them, particularly if they are non-obvious.

There's the rub: what's 'obvious'?

A bug with a particular CPU architecture is non-obvious for anyone who's not steeped in computer security.

You can't compare that with knowing what a port, IP address, packet, netmask, etc. is. There are basics one must know to meaningfully use a particular tool, so basic networking knowledge has to be "assumed known" when dealing with a tool like pfSense.

What MDS is, and how it affects a firewall/routing/VPN software platform isn't standard knowledge, and thus can't be "assumed known".

The suggestion to google this information is almost as meaningful as certain ISPs suggesting you use their online ticketing system if you experience trouble with your internet connection... ;)

rcfa

@johnpoz said in MDS Mitigation: any reason that's not enabled automatically?:

You do understand pfsense is open source right - you could submit that wording if you wanted to..
https://docs.netgate.com/pfsense/en/latest/development/submitting-a-pull-request-via-github.html

Thanks. I'll have to look into this. However, since for the most part I'm not doing sw development anymore, and even less so on FreeBSD or network programming, the number of contributions I'm likely to make to the code base is minimal, so to set it all up for two lines of text is a bit much.
I may set it all up in the future, when I'm less pressed for time by other matters, "just in case", but right now I can't.

johnpoz

Well you could be the grammer, description police if you will ;) And just submit PRs for the gui description stuff ;)

KOM

@johnpoz "grammar"

johnpoz

hehehe - I did that on purpose ;)

Squuiid

Apologies for resurrecting this old thread but it seemed like the best place as it's the only thing to come up in Google for MDS Mitigation on pfSense.
@jimp while you state it doesn't really affect anyone with an appliance, would you recommend enabling MDS mitigation on those using pfSense in an ESXi VM for example?
Thanks.

johnpoz

@Squuiid said in MDS Mitigation: any reason that's not enabled automatically?:

ESXi VM for example?

How do you think that would come into play... The mitigation where there would be a concern is the HOST, not a vm..

Squuiid

@johnpoz said in MDS Mitigation: any reason that's not enabled automatically?:

@Squuiid said in MDS Mitigation: any reason that's not enabled automatically?:

ESXi VM for example?

How do you think that would come into play... The mitigation where there would be a concern is the HOST, not a vm..

Is that you just speculating or is it based on something more concrete?
VMware state that not only a host should have MDS mitigations enabled but so too the guest vm it would seem.

Have a read here and let me know what you think. To me it reads like the MDS mitigations should be enabled in a guest vm. Keen to hear your take on it however.
https://www.vmware.com/security/advisories/VMSA-2019-0008.html