Details of several vulnerabilities present in common processor models have recently been discovered by researchers at Google Project Zero, and the Institute of Applied Information Processing and Communications (IAIK) at the Graz University of Technology.
The vulnerabilities, dubbed Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5715 and CVE-2017-5753), take advantage of the way most modern CPU’s are designed. Many hardware and Cloud vendors have released statements disclosing the level of impact these vulnerabilities have on their operations as well as the security of their clients data. HonestRepair would like to take some time to also disclose what these recent discoveries mean to us and our clients.
About The Vulnerabilities
Meltdown (CVE-2017-5754) targets a feature of modern CPU’s called “Speculative Execution.” This vulnerability can only be exploited on CPU’s from certain product lines of certain vendors. More specifically, most modern Intel CPU’s are affected (in other words, most of the computer market). The exploit uses the CPU’s branch prediction features in dubious ways to read protected parts of memory. For more information about the Meltdown vulnerability, please visit https://meltdownattack.com/.
Two versions of Spectre also target the “Speculative Execution” feature of modern CPU’s but in a different way than Meltdown. Variant one (CVE-2017-5715) uses a method called “Branch Target Injection.” Variant two (CVE-2017-5753) uses a method called “Bounds Check Bypass.” The Spectre attack also uses the CPU’s branch prediction features in dubious ways to read protected parts of memory. For more information about the Spectre vulnerability, please visit https://spectreattack.com/.
With any variant of either the Meltdown or Spectre vulnerability an attacker could potentially gain access to parts of memory which contain passwords, cryptographic keys, or other sensitive information.
Impact Of Meltdown & Spectre to HonestRepair Services
Unlike other web-application service providers, HonestRepair does not host its client data on outside or 3rd party servers. All of our infrastructure is owned, operated, and maintained by us from our HQ in Rowley MA, USA. We designed and built our servers specifically for providing free, capable, and secure Cloud storage to our community. Our servers were built with AMD CPU’s based on the Vishera architecture.
With that being said, we have never been vulnerable to the Meltdown vulnerability (CVE-2017-5754). Additionally, we were never vulnerable to variant one of Spectre (CVE-2017-5715), “Branch Target Injection.” We were, however, vulnerable to variant 2 of Spectre (CVE-2017-5753), “Bounds Check Bypass” until Canonical released an update to our Ubuntu operating system on January 6th, 2018. Since then we have applied the latest Canonical Ubuntu updates and are continuing to monitor Ubuntu development.
We have no reason to believe, and no evidence to suggest that our services have been exploited by actors using either the Meltdown or Spectre vulnerabilities. As always, we will continue to keep the software and firmware within our infrastructure up-to-date to ensure the highest possible level of security and reliability for our users. We rely on your trust to keep our services online, and we promise to always stay vigilant when it comes to defending that trust.
Thanks again for using the HonestRepair Cloud!