Meltdown and Spectre are two recently-discovered security vulnerabilities in modern CPUs, including those used on our servers.

The brief response from CiviHosting regarding these two issues is that Meltdown is a serious vulnerability, but our servers are not vulnerable to it. Spectre is less serious, but our servers are not vulnerable to it either.

The more detailed response, for those interested, begins with a brief review of what the issues are:

Meltdown is described on the Meldown Wikipedia page as:

Meltdown is a hardware vulnerability affecting Intel x86 microprocessors and some ARM-based microprocessors. It allows a rogue process to read any kernel memory, regardless of whether it should be able to do so.

Our servers run Linux and there are kernel patches for Debian (the distro we run) which stop Meltdown attacks. These patches have been applied to all of our servers.

Spectre is described on the Spectre Wikipedia page as:

Spectre is a vulnerability with implementations of branch prediction that affects modern microprocessors with speculative execution. Since speculative execution on most processors affects the data cache, programs that accept requests may be tricked into reading private data and, consequently, modifying the state of the data cache. An attacking program on the same machine can then access the data cache to discover the private data.

At the moment, there are no solutions available against the Spectre-type of attacks, but there are no publicly available exploit methods as well. This kind of attacks require special tailoring against the particular server and application implementation, so it is quite hard to perform. We use SuExec on our servers, so all web processes on our servers are running with the hosting account user. The Spectre type of attacks, when successful, would allow a child process to read memory from its parent process. Exploiting this attack on our shared hosting servers wouldn’t be of any value, because if a hacker finds a way to execute code with the privileges of the hosting user, that means that the hosting account would be already compromised, and there is no point in performing a sophisticated Spectre attack, when the same result can be obtained with much easier methods.

You can find more details about both of these issues on the Meltdown and Spectre website.

Please note that CiviHosting has a perfect security record — our servers have never been hacked.

Leave a Reply

Your email address will not be published.