Security Vulnerability – Meltdown and Spectre

Screen Magic is working to ensure optimal security for Screen Magic systems or devices against the major security vulnerability, Meltdown and Spectre.

Screen Magic is aware of these recent vulnerabilities, which were publicly disclosed on January 3rd, 2018 by Google. Both highlight the potential to extract information from CPU cache by exploiting certain CPU hardware implementation mechanisms.

Description of the vulnerabilities

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware vulnerabilities allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. For this, malicious code would need to be executed on the device.

Meltdown

Meltdown (CVE-2017-5754) breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.

Spectre

Spectre (CVE-2017-5753 and CVE-2017-5715) breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets.

Our system

SMS Magic-Interact app is hosted on app exchange. Salesforce works as a client to SMS Magic servers hosted on Amazon web services (AWS). All communication between Salesforce and SMS Magic is secured by encryption using TLS 1.2. Our database is hosted on RDS by Amazon. It is based on multi-az architecture. AWS assures that real-time database backups are maintained on different regions. We do have a maintenance plan in place to keep the existing infrastructure updated and healthy.

Impact on our Systems & Services

We are depended on the vendors such as AWS and the service providers etc. to ensure the systems are updated and maintained as per the industry standards and to keep abreast with the Meltdown and Spectre vulnerabilities.

Along with this we also depend on the OS, chipset providers to release the patches/updates which we can apply on our systems.

Approach to address the identified vulnerabilities

The security and integrity of our customer’s data and devices remains of utmost importance to Screen Magic. Screen Magic technology and security experts have identified the list of software’s and the systems to be looked into w.r.t the vulnerabilities.

We are testing the updates/patches released by the vendors prior to applying them.

Screen Magic cloud service provider AWS has confirmed they have completed their patching at the infrastructure level to address this vulnerability. We have not received any indication from AWS that these vulnerabilities have been used to attack our or any other AWS customer.

AWS has remediated their hypervisor systems as a primary line of defense to continue to provide the safe environment for its customers and data.

We are not aware of any data or security breaches for any of our customer.

Fixes to prevent user-mode programs from “peering inside” kernel-mode memory are being introduced by operating system vendors, hypervisor vendors, and even cloud computing platform vendors.

Our technology and security experts are working with the hardware, operating system vendors, cloud hosting platform Amazon Web Services (AWS) as per the industry-wide approach to address these vulnerabilities.

Timelines

We’re primarily dependent on the cloud hosting providers AWS and OS vendor Ubuntu. We are awaiting the closure date from them towards a permanent solution for this issue.

We’re closely working with both of them for a solution towards these vulnerabilities. We’re also internally testing these updates prior to implementing them on the production server.

Progress on this action plan will be published during the first week of each month.

Customers can contact their account manager for more details.

Methodology

As this is quite complicated issue to resolve and it might impact performance of systems so we are closely monitoring CVE and OS vendors activities on this.

  1. Basis the patches released from vendors we’ll observe and select those patches which are applicable for Screen Magic systems OS and hardware.
  2. We’ll apply these patches in testing environment. Systems will be observed for over a period to look for application behavior and performance issues, if any.
  3. If any impact is noted, we’ll resolving the issues and check if the systems are working fine.
  4. Post successful testing the packages will be pushed in the production environment.

References for the vulnerabilities

Reference links:

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown#Current_Status

https://insights.ubuntu.com/2018/01/24/meltdown-spectre-and-ubuntu-what-you-need-to-know/

https://forums.aws.amazon.com/thread.jspa?messageID=822571

https://aws.amazon.com/speculative-execution-os-updates/

https://www.kb.cert.org/vuls/id/584653

https://www.atlassian.com/blog/announcements/update-on-meltdown-and-spectre-processor-vulnerabilities

https://help.salesforce.com/articleView?id=000269171&language=en_US&type=1

https://spanning.com/blog/are-meltdown-and-spectre-security-threats-to-saas-companies-like-spanning/

https://www.dynatrace.com/support/security-alerts/meltdown-spectre/

https://newsroom.intel.com/news/intel-responds-to-security-research-findings/

https://www.amd.com/en/corporate/speculative-execution