We asked major storage array vendors what they're doing to protect customers from the Spectre and Meltdown bugs. Here is what they said.
Storage arrays, whether directly attached or configured as NAS or SAN, are not immune to the Meltdown and Spectre security bugs. Arrays contain servers known as controllers, and those servers have their fair share of commodity microprocessors where the bugs like to make homes.
TechRepublic polled Dell EMC, IBM, Hewlett Packard Enterprise, NetApp, and Vantara (formerly Hitachi Data Systems). Each company provided an official statement or posted one on their site.
Of course, this impacts cloud storage too.
SEE: Intrusion detection policy (Tech Pro Research)
The link to the data protection security advisory is accessible only by customers, but the public version of that advisory can be found here. Some of this information was provided to me by Dell EMC in an email.
"For Spectre/Meltdown: Because we are a big user of Intel and AMD chipsets, Dell is currently undergoing a portfolio-wide impact assessment of our products. We'll be cascading out information such as lists of specific products that are affected, along with links to patches/fixes/updates to products as our security and engineering teams make those available. At the moment we're unable to give a timetable for patch/fix/update availability for any specific product. We're asking our customers to check the links below often as we'll be making updates to these daily.
Dell is aware of the side-channel analysis attacks (also known as Meltdown and Spectre) affecting many modern microprocessors. We are working with Intel and others in the industry to address the issue. For more information on affected platforms and next steps, please refer to the following resources. They will be updated regularly as new information becomes available."
• Dell EMC Storage and Data Protection products http://support.emc.com/kb/516117 (customer accessible only)
• Dell EMC Server, Legacy Dell Storage & Networking product http://www.dell.com/support/article/SLN308588
• Dell Client products http://www.dell.com/support/article/SLN308587
• RSA products https://community.rsa.com/docs/DOC-85418 (customer accessible only)
• Former VCE products http://support.vce.com/kA2A0000000PHXB (customer accessible only)
IBM posted a statement on its site:
"Google has announced a widespread CPU architectural issue potentially impacting system security. More information can be found in Google's disclosure https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
IBM is working with our clients and industry partners on this issue, which has the potential to affect many types of computing devices from different manufacturers. It's important to note there are no known cases where this vulnerability has been used maliciously.
Patches will be made available for IBM systems via our normal customer portals. Further details concerning potentially impacted processors in the POWER family can be found here. Per our business as usual process, all information for IBM Z clients can be found at the IBM Z Portal.
IBM Storage appliances are not impacted by this vulnerability.
The most immediate action clients can take to protect themselves is to prevent execution of unauthorized software on any system that handles sensitive data, including adjacent virtual machines.
We will continue to update this blog to include additional information as appropriate."
For more recent information about IBM's response, read this article on TechRepublic sister site ZDNet: Meltdown-Spectre: IBM preps firmware and OS fixes for vulnerable Power CPUs.
Hewlett Packard Enterprise
"HPE has been informed about an issue that affects certain microprocessors. The security of HPE products is our top priority and we have worked with our operating system and microprocessor partners to develop updates to resolve this issue for the most common OS versions and current HPE server generations, with additional resolutions to come. Customers can find a list of impacted products on the HPE vulnerability website and instructions on how to download the resolutions in the HPE Security Bulletin, or talk to their HPE representative."
"ONTAP is not susceptible to either the Spectre or Meltdown attacks as they depend on the ability to run malicious code directly on the target system. ONTAP is a closed system that does not provide mechanisms for running third-party code. Due to this behavior, the same is true of all ONTAP variants including both ONTAP running on FAS/AFF hardware as well as virtualized ONTAP products such as ONTAP Select and ONTAP Cloud. NetApp has advised hypervisor customers to work with their cloud platform vendors to ensure that their ONTAP product is running on a secure and patched platform."
SEE: Essential reading for IT leaders: 10 books on cybersecurity (free PDF) (TechRepublic)
"Vantara is aware of the recently published research detailing vulnerabilities that involve the abuse of speculative execution known as Meltdown and Spectre. Our engineers are working with our HW and SW partners (suppliers) to fully assess the impact and implications of this issue. We have not received any information to indicate these vulnerabilities have impacted any of our customers to-date, and our initial assessment is they would require a high level of sophistication to exploit. We are actively--and will continue--delivering updates to our customers as the situation develops and more information becomes available."
- Meltdown-Spectre: Four things every Windows admin needs to do now (ZDNet)
- Google: Our brilliant Spectre fix dodges performance hit, so you should all use it (ZDNet)
- How to protect Windows Server from Meltdown and Spectre (ZDNet)
- AMD processors: Not as safe as you might have thought (ZDNet)
- Intel CEO Brian Krzanich opens CES keynote on security issues (CNET)
- Meltdown-Spectre patch: Watch out for random reboots warns Intel (TechRepublic)
- Google Cloud performance unaffected by Spectre, Meltdown flaws, firm say (TechRepublic)
- All-flash arrays: The smart person's guide (TechRepublic)