It’s likely you’ve seen the names Meltdown and Spectre in the news lately. In January, the discovery of these two vulnerabilities in computer processors hit the media. People became aware attackers could exploit them to glean confidential data from servers, PCs, mobile phones and tablets.
Both vulnerabilities take advantage of how modern processors execute instructions, as well as how operating systems allow applications to run. They allow an attacker to copy processor or kernel memory before the data there can be over-written or properly protected.
Even though these vulnerabilities have quietly existed for many years, there has been no known attack exploiting them, for various reasons. Within days of the announcement, malware exploits began to appear and continue to appear. So far, none have been found to be gathering data, as of yet. But it is likely they will turn vicious soon enough.
Are connected KMC devices at risk?
You may have been wondering if your connected KMC devices are at risk. We have verified with our vendors that our only product with these vulnerabilities is the Dell Edge Gateway, used by KMC Commander. The processors used in all of our other products do not have these issues. But KMC VP of Technology Dave Bohlmann wants KMC Commander users to know every precaution is in place to keep KMC Commander gateways secure.
“KMC Controls chose the operating system in KMC Commander, called Ubuntu Core/Snappy, specifically for the security features it provides: features not included in other available operating systems,” said Dave Bohlmann, KMC’s VP of Technology. “We have discussed the vulnerabilities with Canonical, makers of the various Ubuntu editions, and agree with them that the security features already designed and implemented in Ubuntu Core and snaps running on the box provide excellent security for our product. At present, we do not know of a method by which malware can be used against KMC Commander.”
KMC Commander’s Built-In Security Features
KMC Commander has a variety of security features built in, including:
- Sandboxing of all applications to execute in their own part of memory and not cross memory boundaries
- Operating system kernel memory is not writable – the memory the vulnerabilities use – and is also sandboxed as needed by each application
- Applications (i.e., snaps) have strict rules that enforce what other applications and OS functions they can use; the default rule is “no access” and because of that, rogue applications cannot simply “just run” as in other operating systems
- Application rules are manually determined by KMC for our snap, and verified and approved by Canonical before the snap is accepted and ready for distribution
- The only snaps run on KMC Commander are those approved and placed in our store. The operating system ensures that only these approved and digitally signed and verified snaps run on the gateway
- All messaging is initiated by the KMC Commander gateway and not from the outside
- White-listing for IP addresses and ports is used, so outside traffic from only certain, approved services are allowed
OS Patch Status
Amazon announced on January 23, 2018 that they have completed updating their systems with OS patches. This includes the cloud services used by KMC Commander.
“Of course, the best defense is ‘defense in depth,’” said Bohlmann. “Our partners and their customer organizations should diligently continue using best practices in networking, firewalls and patch updates, among other security measures.”
Every operating system vendor now has patches available to mitigate these vulnerabilities, and distribution is being rolled out for various editions. Without them, your servers, PCs and laptops are still very vulnerable. Bohlmann suggests you install the appropriate patch updates at your earliest convenience. However, be aware some older versions do not yet have patches. Also, possible exploits for Spectre can be accomplished using web browsers. All web browsers have patches available now as well.
In addition, processor manufacturers have microcode fixes in place for Meltdown and some of Spectre’s vulnerabilities, but not all. Even so, the operating systems and web browser patches that have come out provide a very good level of mitigation and protection.
These OS patches do cause systems to perform at a slower pace. Some earlier patches even caused reboots! Recent test results show slow-downs of 2-10 percent depending on the operating system and the version of the processor.
Staying Up to Date
We strongly recommend that your organization keep up-to-date with Meltdown and Spectre news. We suggest these two websites for updated information:
KMC Controls keeps security as a high priority, and we will continue to monitor various government agencies and private entities for on-going cybersecurity news, Spectre/Meltdown or otherwise.