Meltdown & Spectre Vulnerabilities in Modern CPUs
As you may be aware, there‘s a critical design flaw in practically all processors that allows malicious attackers to read the entire memory of a vulnerable system, including workstations, servers and mobile devices. This means an attacker can steal your sensitive computer data such as passwords, SSL keys and data files from affected systems. The issue boils down into; Meltdown, which at this point is a vulnerability that can be exploited locally and applicable to only Intel and some ARM chips; and Spectre, which is a vulnerability which can also be exploited remotely through a website with malicious JavaScript code against machines running any type of chips, including Intel, AMD, ARM, and likely every other processor.While there’s a lot of information still being released, it’s clear that these vulnerabilities are most critical in a public cloud (AWS/Azure/Google) environment where host systems are shared between multiple users.Egnyte customers are served from our data centers on an infrastructure that is fully owned and managed by Egnyte. Since this is not a shared infrastructure, the risk of Meltdown and Spectre is greatly reduced and external attackers can not use it against us or our users.Some concrete patches have been released by many vendors. As our number one priority, the security team at Egnyte has taken this very seriously, and we want to assure all our customers that we will actively be watching the developments and deploying the appropriate patches as soon as they’re made available.For Egnyte customers, here’s a summary of all activities that have been performed so far:
- Patches against Meltdown for Linux and Windows (KPTI, formerly KAISER) have been deployed.
- All instances of web browsers used for automated testing and such have been updated.
- VMware has also released a patch for Spectre. ESXi is not affected by Meltdown. Both the host and the guest OS will need to be patched.
- We’ll be releasing patches for our on-prem environments as soon as we complete performance testing that is currently underway.
Some recommendations to ensure your personal devices are safe:Microsoft has also released a patch to address exploits from Meltdown. However, they noted that, unless a registry key is updated by the antivirus package, installing the security patch can result in a blue screen of death (BSoD).Apple has already released mitigations in iOS 11.2, macOS 10.13.2. All users should ensure that they are running the latest versions of these.To protect against web based exploitation, users should ensure they have the latest versions of web browsers installed and for older versions of Chrome, it’s recommended to enable additional security flag: https://support.google.com/chrome/answer/7623121?hl=en The Egnyte Security Team is continually monitoring the latest news on Meltdown and Spectre vulnerabilities to ensure we stay up to date on all mitigations for Egnyte products, infrastructure as well as internal IT environment.You can get further details on these vulnerabilities here and here, and remember to update your desktop software daily as there may be more updates coming in to resolve these issues in depth.