Meltdown Spectre an issue for intrusion?

Let me know if I’m way off here.

To my knowledge, Spectre and meltdown are only an issue when installing 3rd party apps and Intel hyperthreading enabled.

If I only use a base install of ipfire, no add-ons and hyperthreading disabled, are meltdown and Spectre actually an issue? Specifically for someone using it to penetrate the firewall.

Thanks!

Yes, because they are real. Next answer will explain better

We still don’t now. At least, as far as i can remember. Currently proof of concept had been published as capable to exploit them, but until now there are no evidences or publications of effective exploitation.

https://cpu.fail hosted by Graz University of Technology summarize five big issues related to Hardware CPU. Feel free to take a read. That’s not the only source you should read.

IMVHO these kind of vulnerabilities will appear again for some years, speculative execution and branch prediction are far from being fully secured into CPU design. Therefore: are the CPU safe? The answer is no. Should i worry about? I should be aware of that, and keep myself updated for security bullettins and exploits.
Feeling unsafe is much safer than feeling safe.

This is only my opinion dont’ stop here! Take a deep read during these COVID times…

Thanks for that answer. And I agree with everything you stated.

But the spirit of my question is: If there’s a basic deny all on a firewall, how would one get in? Meaning, don’t you actually need to have your code in the computer (in this case, firewall) for any of these exploits to work?

Also, when you quoted me, you only used part of my question. Please don’t read that as any kind of snark or negativity. I do appreciate all answers. I realize meltdown and spectre are an issue. But my question was, specifically if you don’t have any 3rd party software or applications installed.

Thanks again

As stated previously, currently no exploit as been published for all these vulnerabilities, so no one still published an “how”.
Anyway, don’t forget that the bug is related on how data is managed. Currently, still not yet proved, even forged data passively delivered (even a webpage, an email attachment, whatever) could be the carrier of the payload who trigger the attack.

These are hardware bugs. Even if you’ll change the linux distro they won’t go away. Kernel and microcode published mitigations should reduce the footprint of the vulnerability; even the decision to disable SMT/HyperThreading as done by OpenBSD, IPFire and as advised by Intel.
IMVHO any software won’t change anything about this situation (except mitigation).
I hope that soon will be available x64 CPUs without any vulnerability, but took more than 10 years to “know” that there were are this kind of flaws in CPU design.
After this series of vulnerabilities, it will took years to ease problems without loosing much performance, as the kernels took time to refine and improve the use of pipelining, branch prediction and SMT made into CPU (and not between CPUs).

Yes, you are correct here.

The firewall itself is not under threat because of any third-party code running on it. I have mentioned that in one of my blog articles about it, but I cannot find the exact spot - I seem to ramble way too much.

But, if someone is able to inject any code through any remote code execution vulnerability, it is suddenly very easy to exploit the whole system, because the attacker immediately has root permissions.

That means, that at all times we need to have the mitigations on.

No, but bad people obviously do not publish their exploits. If this is exploited, you will never no. Attacks on these CPU vulnerabilities do not leave any traces whatsoever.

I am not keeping my hopes up for that.

The performance impact is still there and it is massive. IPFire suffers a lot from it with applications like IPS.

So far there is little research that I know of how a processor can be designed to be guaranteed to not have these flaws. ARM and RISC-V are probably in a much better situation to act than x86.

ARM is RISC. And RISC is not CISC, so this mean that there’s less “programming” into silicon but much more programming into Software and Microcode, which can be upgraded.

Yes and no
Currently no malicious software capable of that was detected and submitted as sample for let antivirus or IDS/IDP or whatever technique for keeping out the crap is used for.
And also, as a good lockpicker… you maybe cannot know how it opened the lock, but you also will find that someone stoled data or try (or succeeded) to takeover the server.
Anyway, nevertheless more than 24 months has passed after the first “big bad guy” called Spectre came out, still quite nebular if, when and how these vulnerabilities could be used.
This is the saddest news until now.

In order to minimize exploitation potential,
I use my ipfire purely as a FW, nothing else.
I know there are so many really great AddOns -
but IMVHO, e.g., every file or web server belongs into ORANGE -
behind and protected by the HW FW in front of it.

Hi all !

Noob here.
I am wondering, in the case of ipfire installed at home were all ports are closed by iptable, geolocation ips etc … is that system still vulnerable to meltdown and spectre ?

Thank’s !

ARM does not have microcode.

:+1:

Yes, in theory. But as I said before, practically it is much less likely exploiting Spectre & Meltdown on a firewall than on a desktop computer.

2 Likes

@ms

Thank’s very much, it’s appreciated !