This Vulnerability Note is the product of ongoing analysis and represents our best knowledge as of the most recent revision (See below). As a result, the content may change as our understanding of the issues develops.
DataBank has been made aware of a series of vulnerabilities against virtually every CPU (processor) from Intel, AMD and ARM. The following is information that is provided for customers as an FAQ. Check back often as this will be updated. If your question is not answered here, please login and submit a request ticket with your question.
What is it?
Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Are customer servers impacted?
Yes – virtually every computer and mobile device, home or business machine, including Windows, Linux, Apple, iPad’s, iPhones and Android devices is impacted by this vulnerability.
What is our assessment of risk/threat level?
The risk, as identified by the Common Vulnerability Scoring System (CVSS) is *MODERATE* (Base 4.4, Temporal 3.4, Environmental 5.1). The DataBank CISO supports this assessment in the current state (1/5/2018).
Risk level Moderate? I hear about this all over the news as doom and gloom. How can it be moderate?
There are multiple factors involved in determining a risk rating. Though this vulnerability could result in loss of data and information, to exploit this vulnerability and gain access to the data is difficult. To exploit the vulnerability, an attacker would need to gain access to and run code on an impacted device.
In addition, the U.S. Computer Emergency Response Team (US-CERT) has stated that there are no known exploits. The UK equivalent team has identified the same. That means at this time no hacker has developed code to exploit the vulnerability.
Coupled together and with other factors, these bring the risk level to moderate.
***Note – risk ratings can change over time. DataBank will continue to monitor the situation and make adjustments as needed.***
Can I detect if someone has exploited Meltdown or Spectre against a system?
However, it is possible to determine if an unauthorized user has accessed a system through the log files.
Keep in mind, at this time there are no known exploits. The likelihood of someone having attacked you at this time is very, very minimal.
What is our guidance to customers?
Various software manufacturers have issued patches. The best and only defense against exploitation is patching of systems and applications.
If you are a managed services customer that has selected patching, patches will be applied in the normal schedule through routine patching cycles. If you desire patches to be applied earlier than routine periods, you may login through the portal and submit a ticketed request to do so.
If your services are for a colocation, patching will be at your own discretion and completed through routine processes as defined by your organization.
Is there a performance impact to a system if patches are applied?
Any performance impacts are workload-dependent and will be mitigated over time according to Intel, a chip manufacturer.
Academic testing and other reports indicate that there are varying performance impacts ranging from 5%-30% with databases having the larger impact.
At this time, we are testing deployments at DataBank to determine if there is an impact and if so in what configurations. More information will be provided as it becomes available.
When will patches be deployed?
Patches will be deployed in accordance with your current patching schedule. This is different for each customer. Support can assist in determining when the next patch schedule is due.
Can Anti-Virus protect against this?
Probably not. This type of exploit is outside of the realm of AV products.
If there is an attack, what can be leaked?
Proof of concept attacks in academic environments have been able to read the memory content (not the hard drive) of a computer. Data is not typically stored in memory long term. The types of data that could be included are passwords (at the time of use) and other sensitive data that has been accessed recently.
I want the ones and zeroes - How can I get more information?
A series of two academic reports are available – Meltdown here and Spectre here.
Vulnerability reports from US-CERT can be found here.
Owner: Chief Information Security Officer
Questions: Chief Information Security Officer
Effective Date: 01/05/2018
Last Reviewed Date: 01/05/2018
Last Reviewed by: Mark Houpt
Next Review Date: 01/2019