Jump to content
Not connected, Your IP: 18.226.93.22
Rosebud-1984

Meltdown and Spectre CPU vulnerabilities

Recommended Posts

​Hello AirVPN team,

​what about the recent CPU vulnerabilities Meltdown and Spectre (Info: https://meltdownattack.com/) and their impact on the security of the AirVPN service?

​​I think  VPN Providers are a worthwhile target for such an attack vector.

​​

Are there already AirVPN servers that are hardened against these vulnerabilities and what about the underlying AirVPN structure (e. g. authorization servers)?

 

Share this post


Link to post

Air staff might have to be cautious what they say/promise, and detailing security measures may be silly, so I will chip in as an IT pro client, but not a security expert.

As far as I know, Air have said they run discrete server hardware in data centers, not the cheaper virtual machines on shared server hardware that many VPN providers use to add to their number of locations. One concern I have seen is that Meltdown and Spectre may break out of VMs into hypervisor and/or kernels, and then other VMs, on the same memory address hardware.

I expect that any OpenVPN server and its administrative and support software is a much smaller attack surface, against hardened software, compared to general cloud servers with various programming  languages, databases, etc. So worse cost/benefit for attackers, and not such a haul, as intercepting a database or confidential  documents.

One nasty possibility in the Austrian research/proof-of-concept was that javascript could by used for successful  attack. I have now updated Firefox to 57.0.4, which claims to fix, on W10 and Linux Mint 18.3. Worth attention at our user end to avoid drive-by malware websites or adware.

Of interest, including in lawsuits against Intel, is the many months since original findings to publication and issue of patches. Plenty of time for China/Russia/US/etc big budget cyberspies to do their secret things. So the "worst" breaches may have already happened for some targets.

Share this post


Link to post

The link below is likely posted somewhere else w/in the Forums, but for crying out loud... this story really ticked me off (probably more so than the reported, up to 30% decrease in performance, hit Intel processors will take w/ the eventual fix).  CEO Brian Krazanich sells off all but required minimum... https://gizmodo.com/intel-says-ceo-dumping-tons-of-stock-last-year-unrelate-1821739988

Share this post


Link to post

Since all AirVPN servers are bare metal, the entire service is not affected by this vulnerability, which allows a privilege escalation

and a potential escape from a sandboxed environment.

Users, however, should apply patches to their systems.


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...