Recently discovered security threats known as “Meltdown” and “Spectre” are getting a lot of attention. Both exploit common features of modern microprocessors used in computers, tablets, smartphones, and other gadgets to create vulnerabilities that can put data at risk.
- Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a malicious program to access the memory, and thus also the secrets, of other programs and the operating system.
- Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, even those that follow best practices, into leaking their secrets.
If most desktop, laptop, and cloud computers are affected by these new threats, why is the risk to Nasuni customers low?
Meltdown and Spectre both require software running locally on computers to exploit unauthorized access to system memory. Nasuni Edge Appliances are hardened Linux-based appliances that do not allow local access. The only local software running on our appliances is provided by us, and we don’t offer any facility to run outside software on them. As a result, there is no practical way to exploit these vulnerabilities on Nasuni Edge Appliances, making the risks presented by Meltdown and Spectre to Nasuni customers very low.
That said, we are working to provide an update to the Nasuni Edge Appliance kernel that will include security updates to mitigate Meltdown and Spectre.
Keep in mind the industry only recently discovered this new class of security vulnerabilities. As a result, mitigations and associated best practices may change over time. We will continue to work with industry leaders and the open source communities to protect our customers from these and other known vulnerabilities, and make our Edge Appliances even more robust against attacks like Meltdown and Spectre.