# In which way do Meltdown and Spectre affect Firewalls?



## consuli (Feb 15, 2018)

Hello!

I have got two firewalls. One is based on a mini-computer mainboard with a spectre-1 sensitive processor and has OPNSense firewall software (based on FreeBSD-Linux).

The other one is a proprietary well known brand manufacturer firewall. Neither the mainboard nor the processor is known. 

I which way could these two firewalls be affected by meltdown and spectre? AFAIK there are no updates yet.

Is there a way to test it out?

Consuli


----------



## Masterchiefxx17 (Feb 27, 2010)

Hi and Welcome to TSF!

Highly unlikely that somebody is going single target you for meltdown or spectre attacks.

As long as the firewalls are in support and receive new security definitions and updates, they should be just fine.


----------



## consuli (Feb 15, 2018)

Thanks.



Masterchiefxx17 said:


> Highly unlikely that somebody is going single target you for meltdown or spectre attacks.


I am familiar with what security specialist say, why Meltdown and Spectre in their mind does not affect firewalls. Their main points are:


There is no application running on a firewall, that would allow free scripting, such as Java Script in a browser.
There are no medium privileged "User"-accounts on a firewall, that could be used for running a side channel attack process.
There are no passwords and configuration files in the RAM of a firewall, that could be read by side channel attacks from Meltdown and Spectre.

Well, I am not a security expert.

I agree with point 1.

But I disagree with points 2 and 3.


The reason for I am disagreeing with point 2, is the following:
Following https://en.wikipedia.org/wiki/Hacking:_The_Art_of_Exploitation#Programming in the standard exploitation technique, the first hacking step is to inject malicous code into an application. This is typically applied by sending some overlarge "data", that uses the unsafeness of C datastructures against oversize, so that the attached malicious machine code binary gets implanted in the next RAM section. Typically this injected malicious machine code inherits the privileges from the application, it has been implanted from. Which, in case of a firewall, is the firewall application. I guess, the firewall application on a firewall machine most possibly is such medium privileged account. 


The reason I am disagreeing with point 3 is:

I simply cannot believe there are no passwords (or at least hashes of one ore more passwords) and no configuration files in the RAM of a firewall.


*Do you agree, that security specialists' points 2 and 3 do not make very much sense?*


Consuli


----------



## Masterchiefxx17 (Feb 27, 2010)

I think with enough understanding of anything, something could be hacked into. At the same time, I think you are over researching the topic for anxiety reasons.

For number two, firewalls typically have a user account as some firewalls are managed my a user.

For number three, depends on the firewall really.


----------



## consuli (Feb 15, 2018)

If this is out of the scope of the forum (maybe too technical), where can I go with this?

Consuli


----------



## Masterchiefxx17 (Feb 27, 2010)

I don't believe it's out of the scope or to technical for us. It's the answers you are receiving that you aren't liking.

Why are you afraid of the new malicious attacks? Did you even check yet to see if the firewalls have firmware or security updates available?


----------



## consuli (Feb 15, 2018)

Masterchiefxx17 said:


> Why are you (so) afraid of the new malicious attacks?


I am so afraid, because it is a HARDWARE security problem. From my point of view before Meltdowm and Spectre a potential attacker needed an individual OPERATING SYSTEM DEPENDEND exploit. But now he can use universal hardware based machine code, as the most instruction sets of processors are normed. Especially an potential attacker can expect 90% of all processors (Intel + ARM market share) to do speculative excecution (Meltdown scenario).

Of course it is true, that Meltdown and Spectre in case of a firewall does not affect the "first bricks" of the firewall, that would be subject to an first exploit. However, I do not think, that would make much difference, as I believe the exploits for the first bricks can derived by automatic probing. E.g. in the most trivial case, misconfiguring a firewall to an reject-everything policy (please acknowledge REJECT not drop here), and sending it highly misconfigured packages.

Thus, I think it is very dangerous, when - let's say from a ten bricks thick firewall - 5 or 6 bricks are compromised by speculative execution (Meltdown Case), even if the first brick to the internet is not affected. 
Maybe an Spectre-V1 attack (by mistraining the branch prediction circuit of a processor) would be harder to drive. But speculative exceution appears frequently, and maybe also could be triggered from external. In case of a firewall that would mean, sending a certain series of misconfigured packages (so that one misconfigured package will get exectuted by speculative execution).



Masterchiefxx17 said:


> Did you even check yet to see if the firewalls have firmware or security updates available?


Till yet, there are no official Meltdown and Spectre Updates for the two firewalls. If there, they would be in development process (beta versions).

How is it with your firewalls? Are there Meltdown/ Spectre patches for them?

Consuli


----------



## joeten (Dec 4, 2008)

Perhaps you can find whatever it is your seeking for a answer from this https://blog.barkly.com/meltdown-spectre-patches-list-windows-update-help
there are further sources of info here https://www.google.co.uk/search?q=m...-ab&gfe_rd=cr&dcr=0&ei=cpmJWuPSO4X98wfHrKz4BA
We won't be going into the merits or lack of them since the situation is on going and updates and further info will most likely be forthcoming.


----------



## consuli (Feb 15, 2018)

Thanks for the links. They are a little bit helpful. However, they could go (much) more into detail, to get it onto the point.



Masterchiefxx17 said:


> At the same time, I think you are over researching the topic for anxiety reasons.





joeten said:


> We won't be going into the merits or lack of them since the situation is on going and updates and further info will most likely be forthcoming.


Well, that's really funny. First, one forum mod calls me over-anxious. And now, it looks like, the forum has become anxious itself, especially does not want to discuss the topic any more!









Anyway, on ongoing update process does not solve the users' problems caused by Meltdown and Spectre they have RIGHT NOW, including me.

How long will it take, till everything is fixed?

Consuli


----------



## Corday (Mar 3, 2010)

consuli said:


> I which way could these two firewalls be affected by meltdown and spectre? AFAIK there are no updates yet.
> 
> Is there a way to test it out?
> 
> Consuli


Hacking for Dummies: Test your firewall rules


----------



## joeten (Dec 4, 2008)

We are willing to discuss just not willing to debate and that is were you are heading as no answer will satisfy your position. The chances of you personally being attacked as a individual are slim as there is little to no real profit in that, and if you are a big enough company then you should be willing to trust in those you employ for your IT and Security to ensure your adequately protected.


----------



## consuli (Feb 15, 2018)

joeten said:


> And if you are a big enough company then you should be willing to trust in those you employ for your IT and Security to ensure your adequately protected.


To be frank, I am an academical freelancer running an one-man business.

Thus, the IT-department is me and myself, alone.

Why I am trying to figure out, as good as I can. 

Sorry, when have been disturbing your forum interests (which I do not know), in case. If there has been any disturbation, just let me know.

Consuli


----------



## joeten (Dec 4, 2008)

I honestly believe you have little to worry about, and if your looking at things from the academic side you might be better looking to the forums of security companies were discussions or the pros and cons + development strategies may be more widely theorized.


----------



## VividProfessional (Apr 29, 2009)

for some of the issues you have to be stood or sat right in front of the hardware to enable a hacking attempt with these flaws. make sure your office doors are locked.


----------



## consuli (Feb 15, 2018)

joeten said:


> If your looking at things from the academic side you might be better looking to the forums of security companies were discussions or the pros and cons + development strategies may be more widely theorized.


Forums of security companies? 
You mean the forums of the manufacturer, respectively the firewall OS forum in case of an open source firewall OS?

Consuli


----------



## joeten (Dec 4, 2008)

Which ever one you chose, just remember all security companies etc will be working on some type of program or solution, for as much as they can mitigate the problem.


----------

