So far, there are three known variants of the issue:
Variant 1: bounds check bypass (CVE-2017-5753)
Variant 2: branch target injection (CVE-2017-5715)
Variant 3: rogue data cache load (CVE-2017-5754)
These are commonly known as Spectre (Variants 1 and 2) and Meltdown (Variant 3).
A fix for Variant 3 is underway by FreeBSD developers, its progress can be monitored here. As we postulated, the changes are extensive. The FreeBSD developers will likely wait a bit before starting the backport of these patches to both FreeBSD 11 and 10. Once these backports are available, snapshots including the fixes will only be available for pfSense® 2.4.x and amd64 architecture.
Once the development snapshots are ready we will benchmark pfSense on our appliances to measure any performance differences. After testing is complete on this and other changes, we will release pfSense version 2.4.3 with mitigations for Variant 3.
|Processor||Variant 1||Variant 2||Variant 3|
|SG-1000||Yes (under review)||Yes||No|
The Variant 1 & 2 vulnerabilities will take longer to fix, however for majority of our users this should not be a concern. As explained by Gordon Tetlow in mailing list mentioned above, the number of actually vulnerable cases for Variant 1 is low, more analysis needs to be done. Currently for Variant 2 there is a concept called ‘retpoline’ which mitigates the issue and will likely be used by FreeBSD.
Our security recommendations for users of pfSense software:
Most of our users should not be concerned as long as they follow our basic guidelines for limiting access to the WebGUI, shell as well as physical access to the pfSense appliance.
If you are running a virtualized pfSense instance make sure to update your host. Major virtualization vendors have already issued updates with fixes for Meltdown and / or Spectre.
Our Amazon Web Services and Microsoft Azure customers are safe host infrastructure-wise as both providers already patched their infrastructure against these vulnerabilities.
We would like to thank FreeBSD developers for their quick response and their work on this issue.