On January 3rd, 2018, two large security vulnerabilities were made public: Meltdown and Spectre. Both are of a similar nature in that they rely on how microprocessors manage the security of data.
In both cases, it has been demonstrated that by running a rogue program on a specific machine, it is possible to glean some information related to other programs on the same machine – this information being stored in the processor cache at the moment of execution.
With regards NetConnect, we are looking at security from 2 separate angles: the NetConnect server, and the end user devices used to access the service.
– With regards to the NetConnect physical servers (NSS5000 and NSS50): The NetConnect server is a locked down appliance, and it is not possible for a rogue user to run any specific code on the server. As a result, it is not possible to exploit the NetConnect server with either of these vulnerabilities.
– With regards to NetConnect virtual deployments: For customers running a virtual appliance, a rogue user with access to the hypervisor might be able to run malicious code on the hypervisor and therefore gain access to some data. This is outside the control of NetConnect, all relevant security patches should be applied to the hypervisor as they are made available in order to mitigate against this risk.
– With regards end user devices: All end user devices are potentially at risk, regardless of what users do (play their favourite game, browse the internet or use NetConnect). NetConnect users are therefore advised to apply all security patches to their personal devices as they become available. This, again, is outside the control of NetConnect and applies to all applications they might be using.
In short – NetConnect is not directly vulnerable to the Meltdown and Spectre vulnerabilities, however external elements used around NetConnect (hypervisors for virtual machines, operating systems for user devices) may be, therefore all customers are advised to apply all security patches as they become available on their systems to ensure they mitigate the risk associated with these vulnerabilities.
For more information, please contact firstname.lastname@example.org