I have further updated my blog on Meltdown and Spectre to include MobileIron’s planned release of hot fixes later this month.
Two major vulnerabilities discovered affecting almost all devices on the market have been dominating the headlines recently, stretching beyond the normal tech news and into mainstream media.
This is for good reason; these vulnerabilities, Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715), affect a very basic CPU function known as speculative execution which is used in all modern CPUs.
Vendors are working quickly to patch the vulnerabilities and most have already released mitigations, however until devices are updated they will remain at risk.
We have detailed the vulnerabilities and what customers need to do to secure their devices on the CWSI blog, you can read more about Meltdown and Spectre here.
Meltdown potentially impacts systems running MobileIron server products. This includes MobileIron physical appliances. An attacker who gains unprivileged access to a vulnerable system could potentially extract memory from other processes or VM’s.
MobileIron Core, Sentry, and Cloud product deployments are less prone to this kind of attack as the system does not normally allow unprivileged users to run arbitrary programs. However, MobileIron is working to release patches to protect customers.
To fully address these issues, customers will need to apply a combination of MobileIron patches and 3rd party patches to address issues in hypervisors, virtual machines, and mobile devices.
Apply MobileIron Updates
- MobileIron Core and Connector – MobileIron is currently testing hotfixes for Core 9.5 and 9.6 that include the Meltdown patches. An associated version of Connector, which contains these fixes, will be released with Core. These Core hotfixes have a release date of 24 January, 2018.
- MobileIron Sentry – MobileIron is currently testing a hotfix for Sentry 9.2 that includes the Meltdown patches. The Sentry hotfix has a release date of 24 January, 2018.
Apply Hypervisor Updates
- AWS has deployed updates to their hypervisors to address Meltdown and Spectre at the hypervisor level. This protects customers on all MobileIron Access and MobileIron Cloud systems, except those on NA1.mobileiron.com, from attack by other virtual machines hosted on the same physical server.
- MobileIron’s na1.mobileiron.com cluster runs on MobileIron owned hypervisors. MobileIron is currently testing updates to those hypervisors and will deploy them in the next maintenance window.
- For on-premise solutions running as virtual machines, generally MobileIron Core, MobileIron Sentry, and MobileIron Connector, customers will need to apply the updates from their hypervisor vendor.
- At the time of this writing, VMWare has released updates to address these vulnerabilities. Please see their support pages for details.
You can follow MobileIron’s article on their Security page on the knowledgebase https://community.mobileiron.com/docs/DOC-5739