The New Year kicked off with a thud as the Meltdown and Spectre exploits dominated headlines with critical vulnerabilities in modern processors. Uplogix Local Managers are not impacted by these exploits.
The Uplogix 5000 and 500 Local Managers are not impacted by either the Meltdown or Spectre exploits. Hardware components in both Local Manager models are not susceptible to Meltdown. Spectre is not a risk because the underlying Linux OS on a Local Manager does not allow program installation, which is required by Spectre to run untrusted code on the machine. Customers running the virtual Uplogix Control Center should work with their hypervisor vendor to make sure that they are adequately patched.
The reason Spectre is not a problem for Uplogix is that it’s designed as a secure, closed appliance. Unlike other console servers, by protecting the underlying Linux OS from shell access Uplogix ensures:
- No direct access to the OS for higher security and reliability
- Secrets are kept from users (passwords and keys)
- Non-approved scripts and software cannot be installed
- The application software and configuration integrity is maintained
Other console servers as also based on Linux, but use an open architecture. This makes it possible to access and tweak OS settings and create and run scripts on the platform. You can install other programs that can run alongside the OOB management software, and you can patch Linux functionality without patching application software.
However, this flexibility to install other apps means that things can go wrong too. On the non-malicious side of the equation, these could be changes that modify or delete files critical to normal operation of the appliance and impact performance. But truly bad things could happen as well. Scripts and software (such as Spectre) can be installed through an encrypted SSH session, with changes made to the appliance outside of the application. This means they could be undetected and not show up in logs or audits. Encrypted passwords and keys can be accessed and exported.
For more information, see the Uplogix Security Solution Brief which details how the fundamental architecture of Uplogix secures itself from exploits like Spectre.
MILITARY GRADE SECURITY, REALLY
In addition, the Uplogix Platform meets the requirements for FIPS 140-2 Level 2 certification from the National Institute of Standards and Technology (NIST). Enhancements to the already-significant security features in Uplogix meet or exceed government standards for the protection of data and information captured and stored by Uplogix appliances. Addition physical requirements include tamper-evident seals and visual obstructions.
For more information about network security capabilities of the Uplogix platform, see the infrastructure security features page on the Uplogix website.
More on Meltdown and Spectre
The site meltdownattack.com had clear definitions of each issue:
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre.