Over the past few days various press releases have come to light regarding newly identified vulnerabilities affecting all modern servers, computers and devices that contain processors. The deficiencies are vast and far-reaching. To fix these issues there are several updates and patches that may need to be installed. As the Chief Information Officer here at Brady’s, I want to make you wholly aware of the situation and offer our services in ensuring your valuable IT infrastructure is protected.
The biggest risk is to cloud based applications and cloud based workstation environments. Take a moment to imagine the following scenario. Multiple organizations are using Amazon Web Services. Let’s say one-hundred companies are sharing multiple servers that contain various processors. By chance, a greenhouse shares a physical server and processor with a bank. If the greenhouse is compromised it would then expose the bank’s data to nefarious entities. This could include information regarding user logins and other personal data. Essentially, all the data being processed by that shared processor is readable.
Amazon claims to have fixed the issue, but some security experts have serious doubts as to whether or not the applied fixes have conclusively solved the issue. The good news is that VMware is not vulnerable to the Meltdown security flaw. The bad news is that it is susceptible to the Spectre security flaw. VMware recently released patches for the following versions:
- ESXi 6.5 – ESXi650-201712101-SG
- ESXi 6.0 – ESXi600-201711101-SG
- ESXi 5.5 – ESXi550-201709101-SG
There are various sources claiming these patches will avert the vulnerability and reestablish security. Keep in mind one of those sources contradicts VMware patch ESXi550-201709101-SG and CVE-2017-5753 (found in the link below). I have personally verified this discrepancy with VMware and the Version 5.5 patch is effective.
Click on the link below to verify your VMware and better understand the patches associated with your version. Also, find out more about the risk to CVE-2017-5753 in regards to the Spectre vulnerability.
Unfortunately, these patches do not mitigate device level risk. We will continue to research ways to remediate those risks and keep you updated as more information becomes available. Contact us today if you have any questions or concerns.
Peter Avery, Chief Information Officer
Brady’s Business Systems
Main Office: (810) 606-0080