Are VDI environments vulnerable to Meltdown and Spectre?
Never in modern hardware history has there been such a far reaching and major security concern at the hardware level as has been experienced with the recent Meltdown and Spectre vulnerabilities. The potential for exploit literally encompasses “billions” of modern CPUs found in an untold number of devices. In recent weeks manufacturers and software companies have been scrambling to find a solution to the very complicated issue at hand with the Meltdown and Spectre vulnerabilities. The issue is very complicated since it exists at the hardware layer.
Organizations today are affected not just at the server infrastructure level, but also at the end user device level. Even network devices contain vulnerable processors. The client workstation problem may well be the most complicated as when using traditional client/server architectures with end user workstations, each workstation may well need to be touched with BIOS updates, software patches, etc. What is Meltdown and Spectre? When thinking of end user client devices, are VDI environments vulnerable to Meltdown and Spectre? How can VDI infrastructure protect organizations from the recent threats coming from hardware flaws in today’s physical processors?
What is Meltdown and Spectre?
With the recent news about the hardware vulnerabilities called Meltdown and Spectre affecting most of today’s modern processors, what are these vulnerabilities exactly? Both of the exploits are based on code found in modern processors called “speculative execution”. With speculative execution, modern processors attempt to guess which instructions they will need to process next. Actually, they are quite good at guessing these forthcoming operations and which ones need to be executed in which order. When speculative execution was introduced with early Pentium processors, it provided huge performance gains over previous processors that did not contain the technology.
However, recently, it was found that speculative execution technology has major security flaws allowing users to purposely exploit the process so that protected kernel memory is compromised. It was found that Intel processors allow the speculative execution code to have privileged access to this protected memory space that should never be allowed. Apparently, Intel’s processors have no security checks in place to determine if the memory being accessed by the process is privileged access only. Privileged kernel memory contains very security sensitive information such as passwords, crypto keys, and many other pieces of information that you would not want a user mode process to have access to. With the Meltdown attack, the memory address space isolation meant to be in place is “melted” away. This exposes the protected address space. At this point Intel and ARM processors, no AMD processors, appear to be affected by Meltdown.
Spectre is a bit different approach on exploiting the speculative execution process. With Spectre, the boundaries between memory address space isolation between various applications is compromised as opposed to the operating system. So, for example, the address space isolation that should exist between different virtual machines could potentially be exposed with Spectre. This attack is equally troubling as once again protected memory space is able to be compromised with exploiting the speculative execution technology. The number of affected CPUs is even larger with Spectre as it includes Intel, ARM, and AMD.
Software Patches to Remediate Meltdown and Spectre
To truly be rid of the problem, enterprise datacenters and end users alike would have to discard current CPU processors in their devices and go with something new. The problem is that “something new” doesn’t really exist yet. The CPU manufacturers simply don’t have a new processor ready for market that does not contain the vulnerability with the speculative execution process.
At this point, the only real remediation of the issue is to apply vendor released operating system patches that change the way the operating system interacts with kernel memory. Microsoft, Linux, Apple, VMware and others have already released software patches to deal with the vulnerability. Many organizations are scrambling to identify the scope of the needed patches as well as how best to roll these out. Perhaps the most challenging process for organizations to consider is remediating client workstations, BIOS patches, etc.
For those organizations considering VDI as well as who may already be running VDI environments, there are certainly advantages to VDI when considering the Meltdown and Spectre exploits and the process of remediating a client environment.
Are VDI Environments Affected by Meltdown and Spectre?
VDI environments can be affected when taking into consideration the hardware platform used to connect to the backend VDI environment, the hypervisor, as well as the guest operating system presented via the hypervisor. As an example, many VDI environments are running Microsoft Windows virtual machines for which Microsoft has released patches to change how user and kernel mode code is allowed to interact. However, there are facets of VDI architecture that help mitigate the effects of Meltdown and Spectre attack surfaces. Let’s take a look at what those are.
VDI Environments Help Mitigate Meltdown and Spectre Attack Surfaces
When it comes to securing a VDI environment, the security is only as good as the person or team that configured the solution, including a VDI solution. However, VDI solutions holds definite architectural advantages that can help when we think specifically about the Meltdown and Spectre exploits and the patching process involved to remediate the vulnerabilities. The key advantages with VDI as relates to Meltdown and Spectre are as follows:
- Centralized Management of compute resources and backend virtual machines provides better tooling and automated means of patch management.
- Having a means to effectively patch and remediate security vulnerabilities can be much easier to accomplished with VDI solutions as resources are maintained centrally. After the single “Gold Image” is patched with the recommended Microsoft Meltdown and Spectre patches, all the resulting virtual machines provisioned will by default be patched.
- Patching the underlying hypervisor generally requires no downtime as VMs are simply shifted around to alternate compute and memory resources.
- Information that is processed is the output of virtual machines.
- By design, VDI processes the output of the underlying virtual machines. There is the abstraction layer that helps to create a barrier between an attacker and potentially interacting with the thin client CPU.
- Thin Client devices and Thin Client OS software are highly customized packages that by their nature provide a much more restricted environment to attempt an exploit of speculative execution. VDI software running on top of a thin client such as Praim ThinOX, are stripped down and customized operating systems that are more difficult to exploit when trying to compromise any underlying speculative execution processes.
- Many vendors like Praim have centralized management of thin client hardware that makes operations such as BIOS updates and other firmware upgrades highly automated and efficient.
- By using ThinMan Server, Praim provides powerful control of thin client devices. This allows installing new firmware and security updates to the ThinOX operating system.
Specific vendors of certain thin clients interoperating with VDI environments have noted their systems are not vulnerable to the Meltdown and Spectre CPU exploits. As an example, Teradici PCoIP zero client endpoints remain secure. Vendors utilizing the Teradici models such as the Praim P Series which make use of the Teradici TERA2321 PCoIP and Teradici TERA2140 PCoIP, are totally secure.
Additionally, many organizations running Windows thin clients have noted the patches issued by Microsoft have been very heavy from a disk usage standpoint. This has resulted in some experiencing disk space issues on certain thin clients running Microsoft Windows. By utilizing a very small footprint purpose-built VDI operating system such as Praim ThinOX4PC, businesses can alleviate disk space issues that come with patching their Windows based thin clients. On those devices, simply installing ThinOX4PC allows utilizing the same hardware while eliminating the need to install the heavy Microsoft kernel software patches.
Meltdown and Spectre are by far the most alarming security risk that has been discovered in modern times. The sheer width and breadth of affected systems is hard to comprehend. Virtually every modern processor in operation today in almost every kind of device is vulnerable. VDI infrastructure is vulnerable to some degree simply from the standpoint that the guest operating systems and hypervisors themselves need the patches recommended by the software vendors.
However, when compared to physical end user workstations, VDI solutions are much easier to manage and remediate when it comes to needed patches, BIOS, and firmware updates. By simply updating a single “Gold Image”, all resulting virtual machines derived from that image are patched as a result. Additionally, by utilizing a powerful thin client management platform such as Praim ThinMan Server, organizations can centrally manage all thin client devices from a single pane of glass. This allows automating the rollout of any recommended firmware or security updates to all end user devices.
The Meltdown and Spectre issue is not going away any time soon. Organizations need to stay current with the latest information available and make sure production systems have the most current recommendations from the software vendors applied.
To know more about the effect of Meltdown and Spectre on Thin clients read: