Spectre and Meltdown

Admin Estimated Read Time: 2 Minutes
In January,  Meltdown and Spectre vulnerabilities were discovered that affect several processors from Intel, AMD and even ARM.  Since this vulnerability is in the processor, a wide range of machines are at risk including PCs, servers and smartphones. Cloud is no exception since your Cloud service providers hardware would be vulnerable.  This is a vulnerability that is not tied to a single operating system or badly written program, it rather stems directly from the way the processor executes the information.

There are many models in QNAP and Synology that are powered by these processors, so in theory your data could be vulnerable in your NAS too.

Which Models of NAS are Vulnerable

In Theory, any NAS that is powered by an effected processor is vulnerable. In Practice though, unless you have a rouge application installed on your NAS , there is very little chance that your data could leak.  These vulnerabilities  rely on something called as "Speculative Execution" , and require a local application to exploit it.  Say when a rouge website can steal the information from another Running program on your PC , or from the PC memory.  With Virtual machines running on your NAS and Applications running on containers, the risk increases.

So far, there haven't been any reports of any data breach due to this pair of vulnerabilities in NAS products, but both QNAP and Synology have confirmed that they are working on software patches to fix the vulnerability.

Till the Patches are available

Till the patches are available, you should try and

1. Not install any untrusted application on NAS
2. Don't run any untrusted VM or Container App.
3. Ensure all the users on NAS are secured and have appropriate privileges only.

Severability of the Risk

Meltdown is easier to exploit but is also easier to patch. Spectre is difficult to exploit and the patches will be rolled out slowly too. So far there are no reports of anybody exploiting these, but then maybe they have gone un noticed. What makes it severe is that it lies in the hardware chipset itself, so potentially millions of machines are vulnerable.  A software that was secure in past may turn into an exploit tool with these vulnerabilities.

Goods news is that there is no report of exploit so far , and the patches are in work. Keep an eye on the updates and install as soon as available, even if it makes your PC slow.

Add a comment

* Comments must be approved before being displayed.