MacStadium Customers Are Protected from Foreshadow
Foreshadow, another speculative execution exploit vulnerability in the vein of Spectre and Meltdown, is causing IT and DevOps professionals headaches this week as they apply a slew patches meant to mitigate any potential impacts. While difficult to exploit (tellingly, Intel has not yet disclosed any real-world victims), the type of data (including passwords) that can be exfiltrated and the ineffectiveness of previous solutions against it still make this vulnerability worth paying attention to.
The specific problem for CI/CD projects is the potential impact to virtual machines since in theory Foreshadow could help break down the walls between them. In context of VMs, the exploit could allow a malicious VM to infer content of the hypervisor’s or another VM’s privileged information if both VMs reside in the same core as the L1 data cache. In other words, malicious software on a guest VM (of an affected system) could potentially lift sensitive data from other another virtual machine.
What does this mean for MacStadium customers? Thankfully, not much, because MacStadium customers were never in any danger from this exploit. For one, our default firewall implementation blocks all potential avenues of attack. Attackers would have to have local user access with guest OS privileges in order to exploit the vulnerability, which our default firewall configuration blocks. Our physical security measures prevent physical access to the machines. And most importantly, MacStadium’s host infrastructure is built on Apple hardware that doesn’t contain the impacted Intel chips.
Even though MacStadium customers remain unaffected by Foreshadow, customers should always take care to have an effective and timely patch management program in place. To upgrade your VMware implementation, simply open a ticket to contact Support with your request. And while Apple Insider anticipates Apple patches in the future for this vulnerability, we expect those will be slanted towards MacBooks and other systems that actually contain an impacted Intel chip. As always, we’ll stay vigilant about the potential impacts of any security vulnerabilities that could affect MacStadium customers, and keep you posted.