Risks of CPU vulnerabilities

Peter et al.

I went through the procedure a few years ago to remove all my intel servers from critical things like firewalls due to meltdown/Spectre.
To this day it seems Intel is completely uncapable to fix the microcode and I eventually sold most of them. At the time I just moved to AMD for Firewalls etc and kept the remaining intels for LAN servers.
Well, the last year or so I saw a huge uptick in Browser based attacks seemingly targeting the same meltdown/spectre vulnerability.
Firefox in particular has become in my opinion a rat chewn security hole the last year. Something is not right there, but I havent done enough to pinpoint it. I did set up a honeypot for it, so I will find out.

Question1:
I have one intel machine I still use for a less critical task.
What are the current risks running IPFIRE on Intel hardware. I see you disabled SMP for this reason on Intel machines but that disables intrusion detection which makes it not so favorable.
Question2:
I also notice there is microcode listed in the add-ons in the web interface. Is this microcode specifically selected for my machine and is it safe to install ?

1 Like

Hi,

to keep the original thread on topic, I split this post into a new thread.

Unless I overlooked something significant, CPU vulnerabilities such as Spectre, Meltdown and - even worse - MDS require an attacker to be able to run some of his code on your system. This is especially easy if in case of virtualisation (running a VM on a vulnerable hypervisor) and browsers executing JavaScript.

If you run your IPFire on a dedicated physical machine, and keep it updated, it should not run any untrusted code. Unless there is a way to exploit those CPU vulnerabilities remote without any authentication required, they do pose a risk to your IPFire machine, but not a critical one.

Therefore, I would consider beefing up security on your endpoints to be more worth the effort. In this blog post, I once recommended Qubes OS, and still do so. It is certainly not the most user-friendly operating system out there, but I think it is as user-friendly as possible for the level of security it provides. While they are not immune to Spectre, Meltdown & Co., they at least have those on the radar and publish security fixes in a timely manner.

Um, which add-on are you referring precisely?

We always ship the microcode updates provided by Intel and AMD, so you will get them either way without needing to install any add-on manually.

Since we do not know their contents (proprietary blobs), we cannot tell whether they are safe or not. However, we made sure they were not tampered with when we downloaded them onto our source code server.

Thanks, and best regards,
Peter Müller

We don’t disable SMP (Symmetric Multi Processing) we disable SMT (Simultaneous Multi-Threading) so that one core only run one thread. This not disable intrusion detection.

3 Likes

Arne,
I seem to have misread that. You are right.