Netgate SG-1000 microFirewall

Author Topic: SG-2220 BIOS Updates for Meltdown/Spectre  (Read 412 times)

0 Members and 1 Guest are viewing this topic.

Offline Xorag

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
SG-2220 BIOS Updates for Meltdown/Spectre
« on: January 16, 2018, 11:20:06 am »
Hello!

I know this particular appliance is end of sale, possibly EOL, but I am curious to know if there will be a firmware update available to protect against the latest intel vulnerabilities. I see that the latest version .17 was released a few months ago and seems a bit old to address this.

Thanks!

Offline bcruze

  • Jr. Member
  • **
  • Posts: 64
  • Karma: +2/-0
    • View Profile
Re: SG-2220 BIOS Updates for Meltdown/Spectre
« Reply #1 on: January 18, 2018, 06:47:50 am »
i have the same device i would like to know as well

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15153
  • Karma: +1413/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: SG-2220 BIOS Updates for Meltdown/Spectre
« Reply #2 on: January 18, 2018, 10:35:04 am »
While its never a bad idea to patch stuff like this when found... I think there is a bit of misunderstanding of what exactly what was found and how it could be exploited..

What code do you actually run on your pfsense box?  Other than pfsense or a package you got from the pfsense repo?  Do you use your 2220 as a VM host and let customers multiple customers run VMs on it?

If your really concerned about patches for this on your firewall box - maybe you should really do some more research to the actual issues related to these findings.  The big concern his is VM type host boxes where multiple different customers run VM on the same host.. In such a scenario its possible that customer A could get info that should be limited to only Customer B, etc..

Not sure how such concerns would create such frenzy on a firewall box?
https://googleprojectzero.blogspot.my/2018/01/reading-privileged-memory-with-side.html
https://security.googleblog.com/2018/01/more-details-about-mitigations-for-cpu_4.html

I am sure players like AWS and Azures have a lot to worry about.. If you run VM hosts for multiple customers then sure would be concerned as well..  But your firewall box - the sky s not falling here people.. While yes all such stuff should be addressed and should be of concern.. As always seems much of this stuff gets blown way out of proportion to the actual concern..

If you make it a habit of running untrusted code on your security devices like your firewall box - you prob have way more concerns that would could happen with this latest issue of meltdown and spectre ;)

Its like the wpa krack -- oh my gawd how do I patch my AP.. Was your AP using a wireless uplink and acting as a wireless client?  If not then no the sky was not falling either..

Take a breath.. Read the netgate blog, sure they will post info as they get it and if they do release something sure it will be announced.. Checking the bios update package on your appliance will show if there is something more current than what your running..  Which sure is a good thing to check - you should be current with all things be it bios or software on your security devices - shoot all devices for that matter.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline Xorag

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: SG-2220 BIOS Updates for Meltdown/Spectre
« Reply #3 on: January 19, 2018, 10:09:09 am »
My concern isn't as much the exploitability of the threat on my personal firewall, but more-so the response and support of the vendor for a EOS/EOL device. Since I don't have a support contract I'm forced to ask on this forum. I have no doubt that this a near zero risk on a pfsense purposed device.

Offline jwt

  • Administrator
  • Sr. Member
  • *****
  • Posts: 369
  • Karma: +104/-34
    • View Profile
Re: SG-2220 BIOS Updates for Meltdown/Spectre
« Reply #4 on: January 19, 2018, 10:20:52 am »
 
  • johnpoz is correct
  • Intel have released no microcode updates for c2000
  • if this changes, we will test and release a coreboot update (or similar)

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15153
  • Karma: +1413/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: SG-2220 BIOS Updates for Meltdown/Spectre
« Reply #5 on: January 19, 2018, 01:40:25 pm »
While the 2220 is EOS it is not EOL... I show that out til May of 2020

I have to assume any updates to the bios of such a device would be made available via the coreboot update, just like the pfsense software is even without a support contract..   Unlike those cheap china boxes people seem to like to buy.. Good luck getting a bios update from them ;)
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline ivor

  • Administrator
  • Hero Member
  • *****
  • Posts: 729
  • Karma: +154/-135
    • View Profile
    • Netgate
Re: SG-2220 BIOS Updates for Meltdown/Spectre
« Reply #6 on: January 20, 2018, 06:26:41 am »
Correct, it will be supported.
Need help fast? Commercial support: https://www.netgate.com/support/