]> git.ipfire.org Git - people/pmueller/ipfire-2.x.git/blob - html/cgi-bin/vulnerabilities.cgi
projects / people / pmueller / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
suricata: Change midstream policy to "pass-flow"
[people/pmueller/ipfire-2.x.git] / html / cgi-bin / vulnerabilities.cgi
1 #!/usr/bin/perl
2 ###############################################################################
3 # #
4 # IPFire.org - A linux based firewall #
5 # Copyright (C) 2007-2020 IPFire Team <info@ipfire.org> #
6 # #
7 # This program is free software: you can redistribute it and/or modify #
8 # it under the terms of the GNU General Public License as published by #
9 # the Free Software Foundation, either version 3 of the License, or #
10 # (at your option) any later version. #
11 # #
12 # This program is distributed in the hope that it will be useful, #
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of #
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
15 # GNU General Public License for more details. #
16 # #
17 # You should have received a copy of the GNU General Public License #
18 # along with this program. If not, see <http://www.gnu.org/licenses/>. #
19 # #
20 ###############################################################################
21
22 use strict;
23
24 # enable only the following on debugging purpose
25 #use warnings;
26 #use CGI::Carp 'fatalsToBrowser';
27
28 require '/var/ipfire/general-functions.pl';
29 require "${General::swroot}/lang.pl";
30 require "${General::swroot}/header.pl";
31
32 my %VULNERABILITIES = (
33 "itlb_multihit" => "$Lang::tr{'itlb multihit'} (CVE-2018-12207)",
34 "l1tf" => "$Lang::tr{'foreshadow'} (CVE-2018-3620)",
35 "mds" => "$Lang::tr{'fallout zombieload ridl'} (CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, CVE-2019-11091)",
36 "meltdown" => "$Lang::tr{'meltdown'} (CVE-2017-5754)",
37 "spec_store_bypass" => "$Lang::tr{'spectre variant 4'} (CVE-2018-3639)",
38 "spectre_v1" => "$Lang::tr{'spectre variant 1'} (CVE-2017-5753)",
39 "spectre_v2" => "$Lang::tr{'spectre variant 2'} (CVE-2017-5715)",
40 "srbds" => "$Lang::tr{'srbds'} (CVE-2020-0543)",
41 "tsx_async_abort" => "$Lang::tr{'taa zombieload2'} (CVE-2019-11135)",
42 );
43
44 my $errormessage = "";
45 my $notice = "";
46
47 my %mainsettings = ();
48 my %color = ();
49 &General::readhash("${General::swroot}/main/settings", \%mainsettings);
50 &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color);
51
52 my %settings = (
53 "ENABLE_SMT" => "auto",
54 );
55 &General::readhash("${General::swroot}/main/security", \%settings);
56
57 &Header::showhttpheaders();
58
59 &Header::getcgihash(\%settings);
60
61 if ($settings{'ACTION'} eq $Lang::tr{'save'}) {
62 if ($settings{'ENABLE_SMT'} !~ /^(auto|on)$/) {
63 $errormessage = $Lang::tr{'invalid input'};
64 }
65
66 unless ($errormessage) {
67 &General::writehash("${General::swroot}/main/security", \%settings);
68 $notice = $Lang::tr{'please reboot to apply your changes'};
69 }
70 }
71
72 my %checked = ();
73 $checked{'ENABLE_SMT'}{'auto'} = '';
74 $checked{'ENABLE_SMT'}{'on'} = '';
75 $checked{'ENABLE_SMT'}{$settings{'ENABLE_SMT'}} = "checked";
76
77 &Header::openpage($Lang::tr{'processor vulnerability mitigations'}, 1, '');
78
79 &Header::openbigbox("100%", "left", "", $errormessage);
80
81 if ($errormessage) {
82 &Header::openbox('100%', 'left', $Lang::tr{'error messages'});
83 print "<font color='red'>$errormessage</font>";
84 &Header::closebox();
85 }
86
87 if ($notice) {
88 &Header::openbox('100%', 'left', $Lang::tr{'notice'});
89 print "<font color='red'>$notice</font>";
90 &Header::closebox();
91 }
92
93 &Header::openbox('100%', 'center', $Lang::tr{'processor vulnerability mitigations'});
94
95 print <<END;
96 <table class="tbl" width='100%'>
97 <thead>
98 <tr>
99 <th align="center">
100 <strong>$Lang::tr{'vulnerability'}</strong>
101 </th>
102 <th align="center">
103 <strong>$Lang::tr{'status'}</strong>
104 </th>
105 </tr>
106 </thead>
107 <tbody>
108 END
109
110 my $id = 0;
111 for my $vuln (sort keys %VULNERABILITIES) {
112 my ($status, $message) = &check_status($vuln);
113 next if (!$status);
114
115 my $colour = "";
116 my $bgcolour = "";
117 my $status_message = "";
118
119 # Not affected
120 if ($status eq "Not affected") {
121 $status_message = $Lang::tr{'not affected'};
122 $colour = "white";
123 $bgcolour = ${Header::colourgreen};
124
125 # Vulnerable
126 } elsif ($status eq "Vulnerable") {
127 $status_message = $Lang::tr{'vulnerable'};
128 $colour = "white";
129 $bgcolour = ${Header::colourred};
130
131 # Mitigated
132 } elsif ($status eq "Mitigation") {
133 $status_message = $Lang::tr{'mitigated'};
134 $colour = "white";
135 $bgcolour = ${Header::colourblue};
136
137 # Unknown report from kernel
138 } else {
139 $status_message = $status;
140 $colour = "black";
141 $bgcolour = ${Header::colouryellow};
142 }
143
144 my $table_colour = ($id++ % 2) ? $color{'color22'} : $color{'color20'};
145
146 print <<END;
147 <tr bgcolor="$table_colour">
148 <td align="left">
149 <strong>$VULNERABILITIES{$vuln}</strong>
150 </td>
151
152 <td bgcolor="$bgcolour" align="center">
153 <font color="$colour">
154 END
155 if ($message) {
156 print "<strong>$status_message</strong> - $message";
157 } else {
158 print "<strong>$status_message</strong>";
159 }
160
161 print <<END;
162 </font>
163 </td>
164 </tr>
165 END
166 }
167
168 print <<END;
169 </tbody>
170 </table>
171 END
172
173 &Header::closebox();
174
175 print "<form method='post' action='$ENV{'SCRIPT_NAME'}'>\n";
176
177 &Header::openbox('100%', 'center', $Lang::tr{'settings'});
178
179 my $smt_status = &smt_status();
180
181 print <<END;
182 <table class="tbl" width="66%">
183 <tbody>
184 <tr>
185 <th colspan="2" align="center">
186 <strong>$smt_status</strong>
187 </th>
188 </tr>
189
190 <tr>
191 <td width="50%" align="left">
192 $Lang::tr{'enable smt'}
193 </td>
194
195 <td width="50%" align="center">
196 <label>
197 <input type="radio" name="ENABLE_SMT"
198 value="auto" $checked{'ENABLE_SMT'}{'auto'}>
199 $Lang::tr{'automatic'}
200 </label> /
201 <label>
202 <input type="radio" name="ENABLE_SMT"
203 value="on" $checked{'ENABLE_SMT'}{'on'}>
204 $Lang::tr{'force enable'} ($Lang::tr{'dangerous'})
205 </label>
206 </td>
207 </tr>
208
209 <tr>
210 <td colspan="2" align="right">
211 <input type="submit" name="ACTION" value="$Lang::tr{'save'}">
212 </td>
213 </tr>
214 </tbody>
215 </table>
216 END
217
218 &Header::closebox();
219
220 print "</form>\n";
221
222 &Header::closebigbox();
223
224 &Header::closepage();
225
226 sub check_status($) {
227 my $vuln = shift;
228
229 open(FILE, "/sys/devices/system/cpu/vulnerabilities/$vuln") or return undef;
230 my $status = <FILE>;
231 close(FILE);
232
233 chomp($status);
234
235 # Fix status when something has been mitigated, but not fully, yet
236 if ($status =~ /^(Mitigation): (.*vulnerable.*)$/) {
237 return ("Vulnerable", $status);
238 }
239
240 if ($status =~ /^(Vulnerable|Mitigation): (.*)$/) {
241 return ($1, $2);
242 }
243
244 return $status;
245 }
246
247 sub smt_status() {
248 open(FILE, "/sys/devices/system/cpu/smt/control");
249 my $status = <FILE>;
250 close(FILE);
251
252 chomp($status);
253
254 if ($status eq "on") {
255 return $Lang::tr{'smt enabled'};
256 } elsif (($status eq "off") || ($status eq "forceoff")) {
257 return $Lang::tr{'smt disabled'};
258 } elsif ($status eq "notsupported") {
259 return $Lang::tr{'smt not supported'};
260 }
261
262 return $status;
263 }
Peter's tree of IPFire 2.x