Enable Additional Mitigation for CPU Vulnerabilities
You can mitigate vulnerabilities that affect CPUs on Secure Web Gateway by disabling hyper-threading, which creates a risk of being affected. The mitigation is implemented in addition to other measures executed by microcode that is loaded when an appliance starts.
Hyper-threading improves CPU performance, but also exposes CPUs to several MDS hyper-thread sibling vulnerabilities. Disabling hyper-threading mitigates these vulnerabilities, but slows down performance. It is, therefore, not enabled by default when an appliance starts, initially or as a restart.
You can enable this mitigation by selecting a suitable option from a menu that is shown on your administration system when an appliance starts. You can also have an option permanently selected by editing a system file.
The mitigation can be enabled on the Secure Web Gateway appliance models where hyper-threading is used:
- WBG-4500-C, WBG-5500-C, WBG-5500-D, WBG-5500-E
It cannot be enabled on the WBG-5000-C models where the relevant microcode is not available yet.
- When an appliance starts, wait until these menus are shown on your administration system.
McAfee Web Gateway Advanced options for McAfee Web Gateway Advanced options for McAfee Web Gateway (no SMT) Advanced options for McAfee Web Gateway (no microcode) Use the ^ and v keys to change the selection. Press 'e' to edit the selected item, or 'c' for a command prompt.
- Select an option from the second (no SMT) or third (no microcode) menu, depending on whether you want to enable additional mitigation or load no microcode at all.
Advanced options for McAfee Web Gateway (no SMT)
— Provides options for proceeding with additional mitigation.
These options are for disabling hyper-threading on CPUs, which mitigates their risk of being affected by several vulnerabilities. This has an impact on performance.Advanced options for McAfee Web Gateway
(no microcode) — Provides options for proceeding without loading microcode.
Not loading the microcode exposes CPUs to vulnerabilities caused by hyper-threading, as well as to various other vulnerabilities. We recommend not selecting an option from this menu unless it is required to solve issues with stability or with starting an appliance.
- To enable any of these options permanently, edit the /etc/default/grub system file.
- Append a line for the GRUB_DEFAULT parameter as follows:
GRUB_DEFAULT='2>0'
The parameter values serve to select a menu and an option, with option numbering beginning at 0. For example, '2 > 0' selects the first option of the second menu. - After editing the system file, run this command:
update-grub
- Append a line for the GRUB_DEFAULT parameter as follows: