To exploit the Spectre and Meltdown CPU vulnerabilities, an attacker would require the ability to execute arbitrary code. No 7SIGNAL product allows execution of arbitrary code by an unauthorized user. Code execution would require the presence of second, unrelated vulnerability, and it is likely that such a vulnerability would already allow compromise of the system without the need for further exploits. In other words, if an unauthorized person can gain access to your server and run their own code, then you have much bigger problems since there are easier ways to hurt you than leveraging the CPU attack vector.
More specifically, relating to 7SIGNAL's Sapphire Eye 2100 and 500 models:
- The only way to access the Eye is secured via ssh/TLS
- There is no web server (a much more common attack vector)
- The CPU vulnerabilities rely on how the CPU handles multiple users. Sapphire Eyes can only run as one user – thus, this vulnerability is not applicable.
More generally, 7SIGNAL's cloud servers, Sapphire Eyes, and premise-based solutions are designed to be secure and performant. We are confident in our security posture. Given the fix for the CPU vulnerability may have significant performance impacts – up to 20% based on workload and many other variables – we will move forward prudently, testing for and addressing performance impacts prior to deploying the OS patches.
Russell Wangler, CTO