Vulnerabilities

In 2018 and 2019, multiple hardware vulnerabilities in Intel processors have been revealed. Other vendors were also affected in some instances. This page collects which Lightning Wire Labs Appliances are affected by which vulnerability.

All appliances ever sold with an Intel processor are capable of running IPFire in 64 bit. If you are running a 32 bit release, please upgrade.

The spectre-meltdown-checker script is available as an add-on package from Core Update 129 to detect these vulnerabilities as well as any potentially deployed mitigations.

Hardware IPFire Enterprise Appliance IPFire Business Appliance / IPFire Office Appliance IPFire Mini Appliance
Hardware Features
Simultaneous Multi-Threading (SMT) Yes15 N/V N/V
Vulnerabilities
Spectre v11 OK (M2) OK (M16) OK (M2)
Spectre v23 OK (M.4) OK (M.4) OK (M.4)
Spectre v3/Meltdown5 OK (M6) OK (NV) OK (NV)
Spectre v3a7 OK (M) OK (M17) OK (NV)
Spectre v48 OK (M) OK (M9) OK (M9)
Foreshadow (SGX)10 OK (NV) OK (NV) OK (NV)
Foreshadow-NG (OS)11 OK (M12) OK (NV) OK (NV)
Foreshadow-NG (VMM)13 OK (NV) OK (NV) OK (NV)
MDS (RIDL/Fallout/ZombieLoad) OK (M14) OK (NV) OK (NV)

Legend

  • OK (NV): Not Vulnerable
  • OK (M): Mitigated
  • V: Vulnerable
  • ?: Unknown

  1. CVE-2017-5753, bounds check bypass 

  2. user pointer sanitation 

  3. CVE-2017-5715, branch target injection 

  4. Full generic retpoline 

  5. CVE-2017-5754, rogue data cache load 

  6. PTI 

  7. CVE-2018-3640, rogue system register read 

  8. CVE-2018-3639, speculative store bypass 

  9. Speculative Store Bypass disabled via prctl and seccomp 

  10. CVE-2018-3615, L1 terminal fault 

  11. CVE-2018-3620, L1 terminal fault 

  12. PTE Inversion 

  13. CVE-2018-3646, L1 terminal fault 

  14. mitigated by microcode, kernel patches and disabling HT 

  15. disabled for mitigation 

  16. usercopy/swapgs barriers and __user pointer sanitization 

  17. Mitigated in microcode 

Edit Page ‐ Yes, you can edit!

Older Revisions • May 27 at 9:11 am • Michael Tremer