In 2018 and 2019, multiple hardware vulnerabilities in Intel processors have been revealed. Other vendors were also affected in some instances. This page collects which Lightning Wire Labs Appliances are affected by which vulnerability.
All appliances ever sold with an Intel processor are capable of running IPFire in 64 bit. If you are running a 32 bit release, please upgrade.
The spectre-meltdown-checker script is available as an add-on package from Core Update 129 to detect these vulnerabilities as well as any potentially deployed mitigations.
| Hardware | IPFire Enterprise Appliance | IPFire Business Appliance / IPFire Office Appliance | IPFire Mini Appliance |
|---|---|---|---|
| Hardware Features | |||
| Simultaneous Multi-Threading (SMT) | Yes15 | N/V | N/V |
| Vulnerabilities | |||
| Spectre v11 | OK (M2) | OK (M16) | OK (M2) |
| Spectre v23 | OK (M.4) | OK (M.4) | OK (M.4) |
| Spectre v3/Meltdown5 | OK (M6) | OK (NV) | OK (NV) |
| Spectre v3a7 | OK (M) | OK (M17) | OK (NV) |
| Spectre v48 | OK (M) | OK (M9) | OK (M9) |
| Foreshadow (SGX)10 | OK (NV) | OK (NV) | OK (NV) |
| Foreshadow-NG (OS)11 | OK (M12) | OK (NV) | OK (NV) |
| Foreshadow-NG (VMM)13 | OK (NV) | OK (NV) | OK (NV) |
| MDS (RIDL/Fallout/ZombieLoad) | OK (M14) | OK (NV) | OK (NV) |
Legend
- OK (NV): Not Vulnerable
- OK (M): Mitigated
- V: Vulnerable
- ?: Unknown
-
CVE-2017-5753, bounds check bypass ↩
-
CVE-2017-5715, branch target injection ↩
-
CVE-2017-5754, rogue data cache load ↩
-
PTI ↩
-
CVE-2018-3640, rogue system register read ↩
-
CVE-2018-3639, speculative store bypass ↩
-
CVE-2018-3615, L1 terminal fault ↩
-
CVE-2018-3620, L1 terminal fault ↩
-
PTE Inversion ↩
-
CVE-2018-3646, L1 terminal fault ↩
-
mitigated by microcode, kernel patches and disabling HT ↩
-
disabled for mitigation ↩
-
usercopy/swapgs barriers and __user pointer sanitization ↩
-
Mitigated in microcode ↩