Nicolle posted in: Security

Meltdown and spectre

2018 started with the news of Meltdown and Spectre, while not making a splash in the mainstream news, it has been front and centre for IT and tech publications. As most know by now, security researchers found design flaws which enable access to sensitive information across electronic devices including (but not limited to) servers; mobiles and laptops. 

What do Meltdown and Spectre Do?

Meltdown: allows programmes running on a computer to break into an Operating Systems central memory, accessing data it isn’t meant to.

Spectre: makes it possible for a programme running on one chip to access data in a separate programme, but without using the operating system.  Spectre is related to Meltdown, but much more complex to mitigate.

How could this happen?

These vulnerabilities have existed for 20 years and have been with an industry move made a decade ago.  Granting pre-emptive access to a computer's processor allowing a programme to predict what is required before receiving the request. In order to fix the flaw it would slow down every computer process and that’s just something the majority of consumers and workers just won’t accept. 

So how do we protect ourselves?

The answer is always patching right? To an extent, patching will help but it isn’t going to solve the problem.

Vendors have rushed to create patches for Meltdown, which because of its nature is easier to mitigate than Spectre. However, some of these patches have significant performance impacts and over the last few weeks Microsoft have paused and resumed their patch releases, whilst Intel has recommended to customers to not install firmware.

Spectre is more complex again, and we believe that the IT world will be dealing with Spectre’s ramifications for a few years to come.  The current state of the art of protection against Spectre-related issues is more related to detection and response than purely patching vulnerabilities.

It’s a confusing time for anyone managing a server or network and our Meltdown & Spectre working group have been busy researching and finding resolutions, mitigations, solutions and assisting our customers.   

We understand how concerning, complex and problematic this has been for our customers and beyond. Below is the current-status for our servers and infrastructures with links to helpful guides. If you are still concerned about your Memset Infrastructure or have any questions please contact the account management team – 01483 608010.

MEMSET STATUS:

Next Gen VPS

Find out if your VPS is Next Gen or Classic here.

Windows

VM to VM or VM - hypervisor attacks Not vulnerable
VM local OS attacks (Windows OS vulnerability) Vulnerable- Customers should apply patching at their own risk with appropriate rollback plans in place.

Linux

VM to VM or VM - hypervisor attacks Not vulnerable
VM local OS attacks (Linux OS vulnerability)  Vulnerable - requires customer patching including kernel patching as per our documentation pages 

 Classic Cloud VPS

Windows 

VM to VM or VM - hypervisor attacks Not vulnerable
VM local OS attacks (Windows OS vulnerability) Vulnerable – Customers should apply patching at their own risk, with appropriate rollback plans in place.

Linux

VVM to VM or VM - hypervisor attacks Not vulnerable 
VM local OS attacks (Linux OS vulnerability) Vulnerable - Requires customer patching, including kernel patching as per our documentation pages

Dedicated Servers

Windows

Microsoft Windows OS is vulnerable to Meltdown and Spectre.

OS patches are available, however, our advice is to carry out these updates at your own risk and with appropriate rollback plans in place

Customers may request that Memset apply a microcode update to the underlying server that may reduce the impact of Spectre.

 Linux

All Linux OS are vulnerable to Meltdown and Spectre.

Customers should update their kernel version to that shown on our documentation pages

Customers may request that Memset apply a microcode update to the underlying server that may reduce the impact of Spectre.

Memset Infrastructure

Due to decisions taken regarding our existing hypervisor and Linux kernel builds, the initial impact of Meltdown was minimal.  We have identified additional vulnerable internal systems and applied patches or mitigations where available.  BIOS and microcode updates have been applied to impacted systems to mitigate risks related to Spectre, and we will continue to push for new vendor patches to be made available.

Memset are constantly monitoring our infrastructure and carry out regular security testing. We have specifically identified and patched any systems that may be exposed to untrusted users, or systems that run untrusted code to ensure they are patched correctly.