Meltdown and Spectre CPU vulnerabilities

[Rosebud-1984 0]

​Hello AirVPN team,

​

​what about the recent CPU vulnerabilities Meltdown and Spectre (Info: https://meltdownattack.com/) and their impact on the security of the AirVPN service?

​​I think  VPN Providers are a worthwhile target for such an attack vector.

​​

Are there already AirVPN servers that are hardened against these vulnerabilities and what about the underlying AirVPN structure (e. g. authorization servers)?

 

​

[serenacat 83]

Air staff might have to be cautious what they say/promise, and detailing security measures may be silly, so I will chip in as an IT pro client, but not a security expert.

As far as I know, Air have said they run discrete server hardware in data centers, not the cheaper virtual machines on shared server hardware that many VPN providers use to add to their number of locations. One concern I have seen is that Meltdown and Spectre may break out of VMs into hypervisor and/or kernels, and then other VMs, on the same memory address hardware.

I expect that any OpenVPN server and its administrative and support software is a much smaller attack surface, against hardened software, compared to general cloud servers with various programming  languages, databases, etc. So worse cost/benefit for attackers, and not such a haul, as intercepting a database or confidential  documents.

One nasty possibility in the Austrian research/proof-of-concept was that javascript could by used for successful  attack. I have now updated Firefox to 57.0.4, which claims to fix, on W10 and Linux Mint 18.3. Worth attention at our user end to avoid drive-by malware websites or adware.

Of interest, including in lawsuits against Intel, is the many months since original findings to publication and issue of patches. Plenty of time for China/Russia/US/etc big budget cyberspies to do their secret things. So the "worst" breaches may have already happened for some targets.

[De Facto Pantalones 12]

The link below is likely posted somewhere else w/in the Forums, but for crying out loud... this story really ticked me off (probably more so than the reported, up to 30% decrease in performance, hit Intel processors will take w/ the eventual fix).  CEO Brian Krazanich sells off all but required minimum... https://gizmodo.com/intel-says-ceo-dumping-tons-of-stock-last-year-unrelate-1821739988

[zhang888 1065]

Since all AirVPN servers are bare metal, the entire service is not affected by this vulnerability, which allows a privilege escalation

and a potential escape from a sandboxed environment.

Users, however, should apply patches to their systems.