Reading Time: 6 minutes

Meltdown and Spectre are critical vulnerabilities existing in several modern CPU: these hardware bugs allow programs to steal data which is currently processed on the computer. Meltdown and Spectre can affect personal computers, mobile devices, server and several cloud services.

Actually, the only way to minimize those security risks is to patch your operating systems or the hypervisor level (if you are using virtual machines).

As written in my first post about those issues, almost all storages are based on Intel Xeon processors? For this reason, potentially they are all affected by both problems, but in most cases, storage arrays are “embedded” system with no 3rd parties codes on it, and usually in isolated (or protected) networks. So the problem is minimized.

But we have also to consider that some storage vendors have built their products to run additional apps… for example, a lot of (entry level) NAS are just a platform for a lot of 3rd party code, also server web, in this case, the risk could be huge.

And there are also the hyper-converged storages where host CPU is shared between the storage appliance and all other workloads! Also, in this case, it’s really important to have a right patching (for example see the consideration for Nutanix products).

Chris Mellor, has written an article on The Register, about the concern on the performance aspects and the position on five storage vendor that just say that their SAN storages are not affected:

  • IBM says that its storage appliances will emerge unscathed
  • NetApp says that unlike a general-purpose operating system, Element OS is a closed system that does not provide mechanisms for running third-party code. Due to this behavior, Element OS running on SolidFire or NetApp HCI Storage nodes is not affected by either the Spectre or Meltdown attacks as they depend on the ability to run malicious code directly on the target system.
  • Tintri says that they are not vulnerable because they only run our own software on our appliances and that they’re not planning on patching their software.
  • DataCore says that once a DataCore SAN target request has been received by the kernel, whether from a SAN, a Hyper-Converged environment, or MaxParallel, there are no additional transitions to userspace involved. But maybe they are not considering (yet) the impact of have a software solution running on the top of a general Windows Server OS.
  • Infidat says that the design of InfiniBox provides no facility for non-privileged users to run 3rd party code locally on the system.

But you can simply check each vendor to learn more, for example for Dell-EMC they say that those Dell products requiring no patches or fixes for these three CVE vulnerabilities:

  • EqualLogic PS Series
  • Dell EMC SC Series (Compellent)
  • Dell Storage FluidFS Series (includes: FS8600, FS7600, FS7610, FS7500, NX3600, NX3610, NX3500)
  • Dell Storage MD3 Series
  • Dell Storage Windows NAS Appliances (NX3330, NX3230, NX430)
  • Dell PowerVault Tape Drives & Libraries
  • Dell Storage Manager Virtual Appliance (DSM VA – Compellent)
  • Dell Storage Integration tools for VMWare (Compellent)
  • Dell EqualLogic Virtual Storage Manager (VSM – EqualLogic)

Bur the Dell specific KB for Dell-EMC storage products (, seems to be more realistic and pragmatic. For example, for Dell-EMC Isilon it says that a combination of OneFS and BIOS updates will be provided. On most of the other storage, says that the risk should not exist just because access to the platform OS to load external code is restricted.

But it’s probably too early to says that most of the storage are not attachable just because the OS is custom or restricted… There are so many different ways to interact with a storage (in some cases also with RestAPI, although most of those ways just interact with a management plane and not directly with the control or data plane).

And for all the software-based storage running as a software layer on the top of a general-purpose OS (Windows or Linux), I expect that a patch will be needed just to enforce the operating system or as common hardening option. And we don’t have to forget the several storages based on Solaris distributions or fork, considering that this OS is not listed on the official site and also in the Oracle community there isn’t yet a clear answer on how Solaris is affected and if there are some fixes. Oracle has just released some fixes for its products.

Nutanix response seems one of the fairest (in my opinion): they don’t say that their software isn’t affected (and not only the hyper-converged software that of course is affected, also for all other software, included the management software) and that they are investigating (in case it’s not clear yet that the software can be affected)… Periodically they update the state of their KB… But seems a good conservative approach, without generating too much noise or too many changes in the announcements.

And “small” physical appliances? Some vendors are starting to give answers on how their products are affected (and in most cases are affected because based on AMD or Intel CPU). For example, Synology was one the first. Synology rates the overall severity as Moderate because these vulnerabilities can only be exploited via local malicious programs. To secure DSM / SRM / VisualStation against the attacks, they suggest our customers only install trusted packages. But Synology (like Qnap) is a platform also for external apps… so it’s not so easy to validate all of them.

Of course, we don’t have to forget the several software appliances that different storage vendors have for the management plane of their products… those potentially are all affected and also if they are restricted environments, you may run them as a virtual appliance in an unprotected environment exposing those systems to attach from other VMs. So be sure to run those VA in a safe environment, also if your storage vendor says that those appliances are not affected by Meltdown and Specte bugs.