Reply to post: The security folks will say...

Biggest vuln bombshell in forever and storage industry still umms and errs over patches

Naselus

The security folks will say...

Bit of a tricky one, tbh.

While most storage appliances aren't literally incapable of running external code, they almost never do. They're rarely logged into. I *can* SSH onto my Netapp and run code on it... but I don't, and even if I was doing so, the code would almost inevitably be supplied by Netapp themselves and the SSH session is password-protected and requires a priv elevation to do anything invasive. We're talking about a once-a-year window of opportunity for the attack, rather than a daily occurrence as with a general-purpose OS.

Risk is always chance*impact, and really, the chance of exploiting meltdown/spectre on a storage appliance is orders of magnitude smaller than on a general-purpose OS. The attack surface is effectively tiny.

On the other hand, if one DID manage to get me to run the code, the nature of the appliances (always on, with security and detailed stats barely monitored) means that bad code could run undetected for months.

With HCI, on the other hand, there's really no argument - patch it, do it now, and don't try and make excuses.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020