Spectre and Meltdown

Spectre and Meltdown

Spectre and Meltdown exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Spectre and Meltdown to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.

What about other Spectre & Meltdown related vulnerabilities?

Spectre and Meltdown triggered the security community to do more research into this class of vulnerability. From time to time, new vulnerabilities are found and disclosed. Most of these are related to the manipulation of speculative execution side-channel on processors. Examples of this are Foreshadow, Foreshadow-NG, Zombieload, L1TF, MDS and multiple others.

How are you affected by these vulnerabilities?

While programs and virtual machines normally only see their own data, a malicious program using these vulnerabilities can exploit the fill buffers to get hold of secrets currently processed by other running programs or virtual machines. These secrets can be user-level secrets, such as browser history, website content, user keys, and passwords, or system-level secrets, such as disk encryption keys.

Therefore, these vulnerability impacts servers that run multi-tenant virtualization.

What are risky workloads to perform?

The speculative execution side-channel mainly, but is not limited, impacts multi-tenant virtualization solutions. For example, using the server to run multiple Virtual Private Servers (VPS), where you do not have any control over who uses these VPSs. Potentially, data could leak between virtual machines.

How hard is it to exploit these vulnerabilities?

Multiple proof-of-concept codes exist to exploit these vulnerabilities. However, these are not very practical as they take a long time, and require in-depth knowledge or both to be effective.

How can you keep your server secure?

In order to mitigate these vulnerabilities, it is important to:

  1. Keep your operating system up to date
  2. Keep your microcode up to date
  3. Keep your virtual machine manager up to date

What does Leaseweb do to protect its own platforms from these vulnerability types?

In line with best practices, as described by the vendors, Leaseweb assesses the impact of each vulnerability for each of Leaseweb’s platforms. Based on this assessment, appropriate measures will be implemented. Leaseweb will inform customers on what the risks of a vulnerability are, and which measures should be taken to limit this.