Discussion about Spectre/Meltdown in late 2018


(watermelon) #1

Hi all,

As most of you probably know, there was the spectre/meltdown vulnerabilities that were discovered to affect nearly all computers (almost all computer chips manufactured within the last 20 years) in late 2017 and early 2018. I haven’t really seen much news about it recently as it seems to have fallen off the radar for most people.

I had forgotten about it completely until I saw a section in the new vSphere module for Icinga2 (awesome by the way!) that mentioned the BIOS version on my hosts:

51%20AM

So does this mean that I shouldn’t upgrade the BIOS if Spectre/meltdown requires a 2.7.0 BIOS version?

Is there anything that you guys have done to protect your systems against these vulnerabilities? Did you forget about it as well?


(Kevin Honka) #2

I forgot mostly about them as the bios patches from our vendors are kinda sketchy and unreliable. As we run mostly Linux the firmwareupgrade package should take care of most of them, except one which uses hyper threading to attack. To mitigate that one you have to switch it off, which is what I do most of the time anyways


(watermelon) #3

So don’t worry about BIOS patches then, even if they are from Dell? I might open up a support ticket just because I’m curious what they will say.

As for mitigating vulnerabilities, when you refer to “it” when you’re saying “switch it off”, you mean switching off hyper threading, right?


(Kevin Honka) #4

yes, I switched off hyper threading on all my intel CPUs that have it. You can install the bios patches from the vendors, which is always the right thing to do if they have matching patches. I’m just way to lazy and let linux deliver the firmware updates to me.


(Michael Friedrich) #5

Newer Kernels provide better protection, but I would recommend to always test them in comparison. Spectre V2 in the Kernel has recently been rejected and a new fixed version is released (unfortunately German only, https://www.heise.de/security/meldung/Linux-Besserer-Spectre-V2-Schutz-jetzt-im-Kernel-kaum-Geschwindigkeitsverlust-4244052.html)

On the long run, CPU vendors are in need to finally fix their firmware no matter which OS/Kernel is used on top.


(watermelon) #6

Great, thanks for the insight guys. I guess we will revisit this a little bit later when CPU vendors fix their firmware.