Announcement

Collapse
No announcement yet.

OpenBSD Gets Mitigated For Meltdown CPU Vulnerability

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • boxie
    replied
    Originally posted by Pawlerson View Post

    Except their implementation must hurt performance badly. Like in DragonflyBSD case.
    why must it? the OpenBSD team are nothing but careful

    Leave a comment:


  • Guest's Avatar
    Guest replied
    Originally posted by boxie View Post

    So.... according to https://en.wikipedia.org/wiki/Meltdo..._vulnerability)


    So everyone else gets 5 months and we are still getting mitigation fixes from Windows/Intel/Linux for this - If the OpenBSD team got their heads at the same time - then they are roughly on par with everyone else. If they got their heads up late in December/early Jan then they have done a fucking awesome job at getting this fixed.
    Except their implementation must hurt performance badly. Like in DragonflyBSD case.

    Leave a comment:


  • aht0
    replied
    Originally posted by Pawlerson View Post

    Quickly? Everyone else already fixed it. Maybe except haiku and so on. The truth is BSD don't have enough manpower to even fix simple bugs. There are dozens of bugs in FreeBSD nobody cares about and they're not even reported. The result is very low code quality.
    "Everyone else" got bunch of months advance warning. They didn't. Matthew Dillon & DragonFly was probably the fastest of all, doubt he also had any foreknowledge..

    Leave a comment:


  • Jabberwocky
    replied
    I did consulting for a company that only use OpenBSD on their most secure routers that serves millions of customers. I can confirm that meltdown is not a problem for them. Heartbleed was (and still is for some companies) a big issue.

    Leave a comment:


  • starshipeleven
    replied
    Originally posted by nslay View Post
    Even if you had physical access to the network, the low level chips that handle communication don't have anything like instruction-level parallelism or speculative execution that would make them vulnerable to Specter or Meltdown. They're too simple.

    I even asked Adrian Chadd, net80211 BSD guy, if Wi-Fi chips were somehow vulnerable and he basically said the same thing about those chips too.
    Here we are talking of network equipment running an OS, so (very) smart switches, firewalls, routers that do packet inspection and other things that require them to pull the packets in the OS to process them somehow.

    Which is still not an attack vector at all unless there are some pretty serious software issues in the device in question, like using shell scripts to process the packets or somesuch.

    Of course the actual switch hardware chips or the network controller themselves are far too dumb to even care.

    Leave a comment:


  • nslay
    replied
    Originally posted by torsionbar28 View Post
    Yes, there is lots. And none of it matters. There is no vector to exploit meltdown/spectre on a networking device like those from Cisco, etc. Think about it, these are privilege escalation vulnerabilities, but everything on a LAN switch or router runs as root. There are no other users logging in. And there's no way to exploit any of this from the data plane. You can maybe send a malformed ethernet frame (which requires you already have physical access to the local area network), and then what? Gain access to a portion of the mac address table? Whoop-dee-doo. No way to exploit it from the management plane of these devices either, as they all run signed code and will not run random code, even it were possible to inject it somehow. Sorry, but meltdown/spectre are a total non-issue on networking equipment. Yawn, nothing to see here.
    Even if you had physical access to the network, the low level chips that handle communication don't have anything like instruction-level parallelism or speculative execution that would make them vulnerable to Specter or Meltdown. They're too simple.

    I even asked Adrian Chadd, net80211 BSD guy, if Wi-Fi chips were somehow vulnerable and he basically said the same thing about those chips too.

    Leave a comment:


  • starshipeleven
    replied
    Originally posted by yoshi314 View Post
    we don't know that. From what i've heard there is a lot of networking hardware still running unpatched.
    Privilege escalation vulnerabilities are an issue only on systems where you are running relatively untrusted code (or code that can and will be exploited because it is shit, like PHP).

    Most networking equipment aren't really supposed to do that so it has a low footprint to begin with. So yeah it might theoretically help in some cases, but in most cases they get pwned well before someone even resorts to high-complexity attacks like Meltdown/Spectre.
    Their ssh is ancient, their remote management API might be sketchy, their web interface might be running as root and is vulnerable to code injection, and so on and so forth.

    Leave a comment:


  • torsionbar28
    replied
    Originally posted by yoshi314 View Post
    From what i've heard there is a lot of networking hardware still running unpatched.
    Yes, there is lots. And none of it matters. There is no vector to exploit meltdown/spectre on a networking device like those from Cisco, etc. Think about it, these are privilege escalation vulnerabilities, but everything on a LAN switch or router runs as root. There are no other users logging in. And there's no way to exploit any of this from the data plane. You can maybe send a malformed ethernet frame (which requires you already have physical access to the local area network), and then what? Gain access to a portion of the mac address table? Whoop-dee-doo. No way to exploit it from the management plane of these devices either, as they all run signed code and will not run random code, even it were possible to inject it somehow. Sorry, but meltdown/spectre are a total non-issue on networking equipment. Yawn, nothing to see here.

    Leave a comment:


  • boxie
    replied
    Originally posted by Pawlerson View Post

    Quickly? Everyone else already fixed it. Maybe except haiku and so on. The truth is BSD don't have enough manpower to even fix simple bugs. There are dozens of bugs in FreeBSD nobody cares about and they're not even reported. The result is very low code quality.
    So.... according to https://en.wikipedia.org/wiki/Meltdo..._vulnerability)
    After affected hardware and software vendors had been made aware of the issue on July 28, 2017,[45] the two vulnerabilities were made public jointly, on January 3, 2018, several days ahead of the coordinated release date of January 9, 2018 as news sites started reporting about commits to the Linux kernel and mails to its mailing list.[8] As a result, patches were not available for some platforms, such as Ubuntu,[46] when the vulnerabilities were disclosed.
    So everyone else gets 5 months and we are still getting mitigation fixes from Windows/Intel/Linux for this - If the OpenBSD team got their heads at the same time - then they are roughly on par with everyone else. If they got their heads up late in December/early Jan then they have done a fucking awesome job at getting this fixed.

    Leave a comment:


  • starshipeleven
    replied
    Originally posted by cen1 View Post
    Who cares really? It's not like OpenBSD boxes around the world have been actively exploited with meltdown and spectre.
    This is a bold statement, considering that there is 0 public data about this.

    Unless you want to make a very snide remark about OpenBSD not being used in places where they could be exploited, akin to saying that OpenBSD is not used at all.

    Leave a comment:

Working...
X