Meltdown and Spectre are critical vulnerabilities existing in several modern CPU: these hardware bugs allow programs to steal data which is currently processed on the computer. Meltdown and Spectre can affect personal computers, mobile devices, server and several cloud services.
Actually, the only way to minimize those security risks is to patch your operating systems or the hypervisor level (if you are using virtual machines).
All data protection and backup products are somehow impacted by those bugs. But compared to storage, where a plethora of operating systems are used (Linux, Windows, *BSD, Solaris branch, and a lot of custom OS), in data protection most of the solutions works on Windows or Linux systems.
So seems that a traditional patching (hardware firmware, hypervisor if present, and operating system) could be enough… But there are also the different type of appliances, physical and virtual!
Most of those appliances have a limited access, so most vendors just say that no specific protection is needed. For example, Veeam, use virtual appliances (Linux based) for non-Windows file level restore or for Sure Backup. At this time they just say: no patches are currently required since only root can log in to these appliances. To protect other VMs running on the same host from getting into each other’s memory, patching the host is required.
For Dell-EMC data protection productsSecurity products there is already a detailed list:
| Avamar Physical Edition | Gen4/Gen4S/Gen4T | Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4.x, 7.5.x | Limited impact | Access to the platform OS to load external code is restricted to appliance administrative user. The reported issues do not introduce a significant security risk to a customer’s environment, provided the recommended best practices to protect the access of privileged account are followed. Refer to the Avamar Product Security Guide for more information. We are in the process of investigating remediation options. |
| Avamar Virtual Edition | Not applicable | 7.1.x, 7.2.x, 7.3.x, 7.4.x, 7.5.x | Limited impact (after the host system is patched) | Check with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent “guest-to-host” and “guest-to-guest” attacks. For the guest OS impact, see Avamar Server impact information above. Remediation is planned for late February, 2018. |
| Avamar Extended Retention (AER) | Gen4 | 7.1, 7.2 | Limited impact | See Avamar Physical Edition information above. |
| Avamar Plug-in for vCloud Director | Not applicable | 2.0.3, 2.0.4, 2.0.5, 2.0.6 | No (after the host system is patched) | It is a single-user, root-user-only virtual appliance. The reported issues do not introduce any additional security risk to a customer’s environment for “in-guest” attacks, provided the recommended best practices to protect the access of highly privileged accounts are followed. Check with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent “guest-to-host” and “guest-to-guest” attacks. |
| Backup and Recovery Manager (BRM) | Not applicable | 1.2.x, 1.3.x | Limited impact (after the host system is patched) | Check with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent “guest-to-host” and “guest-to-guest” attacks. Access to the virtual appliance to load external code is restricted to appliance administrative user. The reported issues do not introduce a significant security risk to a customer’s environment, provided the recommended best practices to protect the access to privileged account are followed. See BRM Security Guide for more information. Remediation is planned for late February, 2018. |
| Data Domain Restorer | All | All | No | Access to the platform OS to load external code is restricted. The reported issues do not introduce any additional security risk to a customer’s environment. |
| Data Domain Virtual Edition | Not applicable | All | No (after the host system is patched) | Access to the virtual appliance OS to load external code is restricted. The reported issues do not introduce any additional security risk to a customer’s environment for potential “in-guest” attacks. Check with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent “guest-to-host” and “guest-to-guest” attacks. |
| Data Domain Boost (DD Boost) | Not applicable | All | No | It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system. |
| Data Domain Management System (DDMS) | Not applicable | All | No (after the host system is patched) | Access to the virtual appliance OS to load external code is restricted. The reported issues do not introduce any additional security risk to a customer’s environment for potential “in-guest” attacks. Check with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent “guest-to-host” and “guest-to-guest” attacks. |
| Data Domain V Disk | Not applicable | All | No | It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system. |
| Data Protection Advisor (DPA) | Not applicable | All | No | It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system. |
| Data Protection Search | Not applicable | 1.1.3 | Yes | Check with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent “guest-to-host” and “guest-to-guest” attacks. Remediation for guest operating system to prevent “in-guest” attacks is planned for late February, 2018. |
| NetWorker and NetWorker Management Console | Not applicable | 8.x, 9.0.x, 9.1.x, 9.2.x | No | It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system. |
| NetWorker Module for Microsoft | Not applicable | 3.x and above | No | It is a software product only. Check with your hardware system vendor and operating system vendor for any available updates for the host system. |
| NetWorker VE | Not applicable | 9.0.x, 9.1.x, 9.2.x | Yes | Check with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent “guest-to-host” and “guest-to-guest” attacks. Remediation plan for the guest operating system to prevent “in-guest” attacks is in progress. |
| NetWorker VMware Backup Appliance (VBA) | Not applicable | 1.1.3.7, 1.5.1.7 | Yes | Check with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent “guest-to-host” and “guest-to-guest” attacks. Remediation for the guest operating system to prevent “in-guest” attacks is planned for mid-February, 2018. |
| vProxy Virtual Appliance with NetWorker | Not applicable | All | No (after the host system is patched) | Access to the virtual appliance OS to load external code is restricted to highly privileged accounts only. The reported issues do not introduce any additional security risk to a customer’s environment for potential “in-guest” attacks, provided the recommended best practices to protect the access of highly privileged accounts are followed. Check with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent “guest-to-host” and “guest-to-guest” attacks. |
| RecoverPoint Physical Appliance | Gen 5 and Gen 6 | 4.4.x, 5.0.x, 5.1.x | No | Access to the platform OS to load external code is restricted. The reported issues do not introduce any additional security risk to a customer’s environment. |
| RecoverPoint Virtual Appliance | Not applicable | 4.4.x, 5.0.x, 5.1.x | No (after the host system is patched) | Access to the virtual appliance OS to load external code is restricted. The reported issues do not introduce any additional security risk to a customer’s environment for potential “in-guest” attacks. Check with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent “guest-to-host” and “guest-to-guest” attacks. |
| RecoverPoint for VMs | Not applicable | 4.3.x, 5.0.x and 5.1.x | No (after the host system is patched) | Access to the virtual appliance OS to load external code is restricted. The reported issues do not introduce any additional security risk to a customer’s environment for potential “in-guest” attacks. Check with your hardware system vendor and hypervisor vendor for any available updates for the host system to prevent “guest-to-host” and “guest-to-guest” attacks. |
This list represents a good approach to the problem, with all different products and options and components.
Other vendors are just in an evaluating phase with a conservative approach. For example, Datto says: like many other vendors, we are continuing to monitor for industry guidance and our response team is awaiting vendor operating system kernel patches that address these vulnerabilities. We intend to expedite our qualification of these patches in order to ensure that we are able to address the issues while continuing to ensure the high level of performance and stability of our products for our customers.
Several other vendors are just ignoring (at this time) the problem!
Performance impact
Would those patches change the SLA of the data protection products? Would the backup window still enough to complete in time all the backups?
Actually is too early to have specific data, but most vendors are testing and evaluating the impact. For Veeam just refer at KB 2427 to see how this problem is evolving.
Related Posts
Andrea Mauro
Virtualization, Cloud and Storage Architect. Tech Field delegate. VMUG IT Co-Founder and board member. VMware VMTN Moderator and vExpert 2010-24. Dell TechCenter Rockstar 2014-15. Microsoft MVP 2014-16. Veeam Vanguard 2015-23. Nutanix NTC 2014-20. Several certifications including: VCDX-DCV, VCP-DCV/DT/Cloud, VCAP-DCA/DCD/CIA/CID/DTA/DTD, MCSA, MCSE, MCITP, CCA, NPP.
