NetApp Says Its Storage Systems Not Impacted By Spectre, Meltdown Thanks To Its OnTap OS
Storage vendor NetApp said its storage hardware is not susceptible to potential security attacks caused by the Spectre and Meltdown processor design flaws discovered last week.
Spectre and Meltdown account for three variants of the side-channel analysis security issue first identified by the Google Zero Project team and other researchers who found that the Intel, AMD and ARM Holdings processors commonly used in servers and PCs could allow unauthorized users to examine privileged information in memory in certain circumstances.
Sunnyvale, Calif.-based NetApp, like most storage vendors, bases its storage hardware on x86-based server platforms.
[Related: Processor Security Issue: Intel Says Processors Working As Designed]
NetApp Thursday issued a statement saying that it is "closely monitoring the situation" and will apply security patches as they are released.
On Friday, however, NetApp provided more information to CRN via email saying that its OnTap storage operating system was designed in such a way that malicious code cannot run on its storage systems.
"OnTap is not susceptible to either the Spectre or Meltdown attacks as they depend on the ability to run malicious code directly on the target system. OnTap is a closed system that does not provide mechanisms for running third-party code," NetApp wrote.
The company also stated that the same holds true whether customers run OnTap in a hardware or software implementation.
"The same is true of all OnTap variants including both OnTap running on FAS/AFF hardware as well as virtualized OnTap products such as OnTap Select and OnTap Cloud. NetApp has advised hypervisor customers to work with their cloud platform vendors to ensure that their OnTap product is running on a secure and patched platform," NetApp wrote.
NetApp declined to comment further on the side-channel analysis security issue.
There are three possible ways side-channel analysis could be exploited by unauthorized users.
Two of those variants are known as Spectre and include one that under certain circumstances could be used to leak Linux kernel memory and another that could change how an application works based on the contents of memory.
The third, known as Meltdown, could let an application read kernel memory from userspace without misdirecting the control flow of kernel code, the Google Project Zero team wrote.
To date, there have been no known exploits of the security issue.
Customers already have started asking about whether their NetApp storage systems are vulnerable to the side-channel analysis security issue, said John Woodall, vice president of engineering at Integrated Archive Systems, a Palo Alto, Calif.-based solution provider and NetApp channel partner.
However, Woodall told CRN, vendors including NetApp have done a good job of reaching out proactively with information.
"NetApp has made it clear that its OnTap-based systems are not systems on which people can run other applications," Woodall said. "They may be built on sever hardware with code or processors that can be attacked, but because OnTap controls access, unauthorized applications cannot access the data."
That holds true for NetApp's cloud-based and virtual storage appliances, Woodall said.
However, that does not mean customers can let their guard down, Woodall said. "I'm now looking at my iPhone," he said. "Every one of us has multiple devices like this. And add to that all the work we do on the cloud, and you can't calculate how much you are exposed."
Fixing the problem will be a long-term job, Woodall said.
"NetApp is OK," he said. "But all that data is accessed by servers that may be exposed to the flaw. So the data is safe, but the only way to access it is via potentially compromised servers. Now I have to patch my servers, but performance could drop by up to 30 percent in some cases. Great. Now I need more storage to make up for the performance. And then I look at all those embedded devices and wonder, when does the madness end?"