Meltdown and Spectre security patches

General discussion about Gargoyle, OpenWrt or anything else even remotely related to the project

Moderator: Moderators

Post Reply
pacofonix
Posts: 7
Joined: Fri Jan 12, 2018 6:48 am

Meltdown and Spectre security patches

Post by pacofonix »

Hello Gargoyle community!

Just wanted to warn and ask about Meltdown and Spectre for our routers with Gargoyle, as these security flaws could affect the ARM processors in them and could be exploited though SSH, for example See the official security report at meltdownattack(dot)com

As patches for Linux kernel are already available and they are enough to fix these bugs, could it be possible to include them in Gargoyle?

Cheers!

Lantis
Moderator
Posts: 6735
Joined: Mon Jan 05, 2015 5:33 am
Location: Australia

Re: Meltdown and Spectre security patches

Post by Lantis »

Once patches are ported to LEDE, and then Gargoyle ported to LEDE. Sure.

What arbitrary code are you allowing to run on your router that makes you worry about this vulnerability?
Unless i am misunderstanding the whole issue, unless rogue code is allowed to run through some mechanism on your router it can't exploit the issue.
And if rogue code is running on your router, well that ship sailed a while ago.
http://lantisproject.com/downloads/gargoyle_ispyisail.php for the latest releases
Please be respectful when posting. I do this in my free time on a volunteer basis.

pacofonix
Posts: 7
Joined: Fri Jan 12, 2018 6:48 am

Re: Meltdown and Spectre security patches

Post by pacofonix »

Hi! I am not allowing any code in my router apart from Gargoyle, SSH server (auth with certs) and OpenVPH.

I just though that in other cases where SSH password could be stolen, then code could be run there. Or just a Javascript code injected anywhere, I don't know, just guessing use cases, not exacly mine.

But it is nice to know that Gargoyle is being ported to LEDE! And as I can see, part of OpenWRT now. They are working on patching these bugs: forum.lede-project(dot)org/t/security-meltdown-and-spectre-vulnerabilities-in-arm/10283/23

Thanks Lantis for your attention!

Post Reply