On January 3, a set of vulnerabilities known as Meltdown and Spectre were announced. These vulnerabilities effect many modern computer processors. Exploitation of these vulnerabilities could allow an attacker to obtain access to sensitive information. At this time, the industry is unaware of any active exploitation but given the scope of these vulnerabilities, it is expected that exploits will be developed.
How does this affect SolarWinds MSP solutions?
SolarWinds MSP products use several different operating systems and operating environments. We are in the process of evaluating the impact and applying appropriate remediation including patches and firmware upgrades.
For the on-premises N-central product and for our Backup product, it is important to note that although technically they have the same vulnerability, they are implemented on dedicated and hardened infrastructure making them closed systems and are not directly exploitable.
For our other SaaS products, many of our cloud/hosting vendors (including AWS, Azure, Rackspace) have already patched their environments, which greatly reduces our exposure. As a best practice, we will also be patching our guest operating systems.
A General Word About Patching
For those on virtual environments, it is important to patch the hypervisor. Patching of the secondary operating systems is a best practice.
The SolarWinds MSP on-premises N-central and Backup products run on closed systems, which are less exploitable; however, we will provide updated versions with the latest OS patch. For N-central, 11.1 SP1 HF2 should be available sometime during the week of Jan 22, 2018. For hosted instances (NCOD), no action is required as all updates will be handled by the SolarWinds MSP Ops team.
Jan 5 UPDATE: For MSPs and Their Clients
IMPORTANT: Microsoft patches require a compatible version of Anti-virus (AV) in for the patch to run successfully. Check with your AV vendor to ensure you have the correct AV version to avoid any unwanted outcomes.
If SolarWinds MSP provides your AV: We are currently in investigation and compatibility testing for AV Defender and Managed Anti-virus (MAV) and we will keep you informed on the progress and when to proceed with patching. Please check back here for updates.
Jan 5 UPDATE: Both of our AV vendors are in final stages of compatibility testing with the recent Microsoft patch for this vulnerability. In the interim, please do not circumvent the patching solution in N-central or RMM. We are expecting final testing results by mid next week and will advise of any remediation or updates required at that time.
This notification will be updated as we receive new information on improved, patches, AV compatibility or any other information as it becomes available.
For additional information, please refer to any of the links below:
• Homeland Security US-CERT TA18-004A: Meltdown and Spectre Side-Channel Vulnerability Guidance (https://www.us-cert.gov/ncas/alerts/TA18-004A)
• Users and administrators are encouraged to review Vulnerability Note VU#584653, (https://www.kb.cert.org/vuls/id/584653), Microsoft’s Advisory (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002) and Mozilla’s blog post (https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/) for additional information and refer to their OS vendor for appropriate patches.
• You can find information on Apple devices https://support.apple.com/en-ca/HT208331
• For a comprehensive summary on Meltdown and Spectre see: https://meltdownattack.com/
• For Amazon Linux information see: Amazon Linux AMI Security Center (https://alas.aws.amazon.com/)