<!DOCTYPE html
SYSTEM "about:legacy-compat">
<html lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta charset="UTF-8"><meta name="copyright" content="(C) Copyright 2023"><meta name="DC.rights.owner" content="(C) Copyright 2023"><meta name="DC.type" content="concept"><meta name="description" content="These vulnerabilities allow a non-privileged process to read sensitive data in memory, thus accessing privileged information from the kernel or other processes."><meta name="prodname" content="For Sentinel 400 Units with a Virtual Machine"><meta name="version" content="DGW 49.12.28842941"><meta name="platform" content="All"><meta name="DC.date.modified" content="2023-0308-2809"><meta name="DC.date.issued" content="2023-0308-2809"><meta name="DC.date.available" content="2023-0308-2809"><meta name="ChapterNumbering" content="no"><meta name="DC.format" content="HTML5"><meta name="DC.identifier" content="concept_c1q_fsm_5cb"><link href="https://fonts.googleapis.com/css?family=Open+Sans" rel="stylesheet"><link rel="stylesheet" type="text/css" href="https://documentation.media5corp.com/download/attachments/45482024/commonltr.css"><link rel="stylesheet" type="text/css" href="https://documentation.media5corp.com/download/attachments/45482024/custom.css"><title>Protecting the Virtual Machine from the Meltdown and Spectre Security Vulnerabilities</title></head><body><header role="banner"><div class="topicmeta title">Protecting the Virtual Machine from the Meltdown and Spectre Security Vulnerabilities </div><div class="topicmeta date">2023-0308-28<09</div><div class="topicmeta product">For Sentinel 400 Units with a Virtual Machine </div><div class="topicmeta version">DGW 49.12.2884<2941</div><div class="topicmeta pdf"><a href="https://documentation.media5corp.com/download/attachments/45482024/Protecting%20Your%20Virtual%20Machine%20from%20the%20Meltdown%20and%20Spectre%20Security%20Vulnerabilities.pdf" rel="nofollow">Download PDF Document</a></div><hr><span style="float: inline-end;"></span></header><nav role="toc"><ul><li><a href="#concept_c1q_fsm_5cb">What are the Meltdown and Spectre Security Vulnerabilities</a><ul><li><a href="#concept_iqk_tsm_5cb">Is my VM vulnerable to Meltdown and Spectre?</a></li><li><a href="#concept_r2p_dtm_5cb">Is all the System Vulnerable?</a></li><li><a href="#concept_xrt_p5m_5cb">How to Protect my VM against Meltdown</a></li><li><a href="#concept_bxn_z5m_5cb">How to Protect my VM against Spectre</a></li></ul></li><li><a href="#concept_fqm_rv4_k4">Copyright Notice</a></li></ul></nav><main role="main"><article role="article" aria-labelledby="ariaid-title1"><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="nested0" aria-labelledby="ariaid-title1" id="concept_c1q_fsm_5cb">
<h1 class="title topictitle1" id="ariaid-title1">What are the Meltdown and Spectre Security Vulnerabilities</h1>
<div class="body conbody"><p class="shortdesc">These vulnerabilities allow a non-privileged process to read sensitive data in memory,
thus accessing privileged information from the kernel or other processes.</p>
<p class="p"></p>
<p class="p">A Virtual Machine (VM) running inside the Sentinel 400 <strong class="ph b">may</strong> be vulnerable to Meltdown
(<a class="xref" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754" target="_blank">CVE-2017-5754</a>) and to the two variants of Spectre (<a class="xref" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753" target="_blank">CVE-2017-5753</a> and <a class="xref" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715" target="_blank">CVE-2017-5715</a>).</p>
<p class="p">For more information on these vulnerabilities:</p>
<ul class="ul" id="concept_c1q_fsm_5cb__ul_xpg_msm_5cb">
<li class="li"><a class="xref" href="https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)" target="_blank">https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)</a></li>
<li class="li"><a class="xref" href="https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)" target="_blank">https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)</a></li>
</ul>
</div>
<hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested1" aria-labelledby="ariaid-title2" id="concept_iqk_tsm_5cb">
<h2 class="title topictitle2" id="ariaid-title2">Is my VM vulnerable to Meltdown and Spectre?</h2>
<div class="body conbody"><p class="shortdesc">Your Virtual Machine (VM) is only vulnerable if it allows running third-party/rogue
applications or scripts. </p>
<p class="p">For example:</p>
<ul class="ul" id="concept_iqk_tsm_5cb__ul_kwg_ysm_5cb">
<li class="li">A restricted user who has shell access can run malicious software.</li>
<li class="li">A user surfing the Net from within the VM can unknowingly run malicious Javascript from his
browser.</li>
</ul>
<p class="p">You can consider your VM non-vulnerable if your VM is a secured and closed system that does not
allow running rogue code (i.e. the vulnerabilities cannot be exploited), unless an attacker
founds other vulnerabilities to break into your VM.</p>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested1" aria-labelledby="ariaid-title3" id="concept_r2p_dtm_5cb">
<h2 class="title topictitle2" id="ariaid-title3">Is all the System Vulnerable?</h2>
<div class="body conbody">
<p class="p">The DGW firmware in the Mediatrix system, by itself, is not vulnerable since it does not allow
running rogue code:</p>
<ul class="ul" id="concept_r2p_dtm_5cb__ul_cpx_htm_5cb">
<li class="li"><a class="xref" href="https://www.media5corp.com/media5-statement-meltdown-spectre-vulnerabilities/" target="_blank">https://www.media5corp.com/media5-statement-meltdown-spectre-vulnerabilities/</a></li>
</ul>
<p class="p">But it is theoretically possible, for a Virtual Machine compromised by the Spectre
vulnerability, to read memory outside the Virtual Machine and access sensitive data of the
Mediatrix system. The best protection against this is to secure your VM, to make sure there is no
known means an attacker can use to break into your VM.</p>
<p class="p">Media5 also recommends to always keep your Sentinel 400 up-to-date with to the latest DGW
firmware version.</p>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested1" aria-labelledby="ariaid-title4" id="concept_xrt_p5m_5cb">
<h2 class="title topictitle2" id="ariaid-title4">How to Protect my VM against Meltdown</h2>
<div class="body conbody"><p class="shortdesc">Linux kernels have a new feature called KPTI (previously known as KAISER) that protects
against Meltdown.</p>
<p class="p">If your Virtual Machine is vulnerable, Media5 recommends that you upgrade your kernel to a
version that supports KPTI, and enable it.</p>
<div class="p">For more information on KPTI: <a class="xref" href="https://en.wikipedia.org/wiki/Kernel_page-table_isolation" target="_blank">https://en.wikipedia.org/wiki/Kernel_page-table_isolation</a><div class="note important note_important"><span class="note__title">IMPORTANT:</span> Enabling
KPTI may impact the performance of your Virtual Machine.</div></div>
</div>
</article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested1" aria-labelledby="ariaid-title5" id="concept_bxn_z5m_5cb">
<h2 class="title topictitle2" id="ariaid-title5">How to Protect my VM against Spectre</h2>
<div class="body conbody"><p class="shortdesc">There are different mitigation techniques against Spectre:</p>
<ul class="ul" id="concept_bxn_z5m_5cb__ul_ik2_dvm_5cb">
<li class="li">Mitigation #1: A microcode update from the CPU vendor for better control over the branch
speculation. Also need an updated kernel to enable these new features (IBRS and IBPB).</li>
<li class="li">Mitigation #2: Different techniques (like "retpoline" and "LFENCE") that require recompiling
the kernel, packages and applications.</li>
</ul>
<p class="p">As the time this document was written, Mitigation #1 could not be applied, as Intel had not yet
released a microcode update for the CPU of the Sentinel 400.</p>
<div class="p">If your Virtual Machine is vulnerable, Media5 recommends applying Mitigation #2. See <a class="xref" href="https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)#Mitigation" target="_blank">https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)#Mitigation</a> for more
details.<div class="note important note_important"><span class="note__title">IMPORTANT:</span> Mitigation techniques against Spectre may impact the performance
of your Virtual Machine.</div></div>
</div>
</article></article><hr><span style="float: inline-end;"><a href="#">Top</a></span><article class="topic concept nested0" aria-labelledby="ariaid-title6" id="concept_fqm_rv4_k4">
<h1 class="title topictitle1" id="ariaid-title6">Copyright Notice</h1>
<div class="body conbody"><p class="shortdesc">Copyright © 2023 Media5 Corporation.</p>
<p class="p">This document contains information that is proprietary to Media5 Corporation.</p>
<p class="p">Media5 Corporation reserves all rights to this document as well as to the Intellectual Property
of the document and the technology and know-how that it includes and represents.</p>
<p class="p">This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever,
without written prior approval by Media5 Corporation.</p>
<p class="p">Media5 Corporation reserves the right to revise this publication and make changes at any time
and without the obligation to notify any person and/or entity of such revisions and/or
changes.</p>
</div>
</article></article></main></body></html> | 