Three vulnerabilities involving the abuse of speculative execution in modern CPUs were disclosed this week. Technical coverage of these vulnerabilities is available in our security blog. The security blog post will also cover our ongoing effort to protect our Zscaler Internet Access customers endpoints and servers from these potential expoits.
On Jan 4th, 2018 we posted a perliminary trust post stating our assessment that this class of vulnerabilities does not pose a serious risk to our cloud infrastructure or the data that we are securing. This blog post will expand on this statement with additional information we have and actions we performed.
There are several important factors to consider when assessing potential cloud service exposure to this class of vulnerabilities:
One important topic to highlight is the use of virtualized private infrastructure components by customers. Many of our customers run ZPA connectors, NSS, ZAB and VZENs in their infrastructure. It is important that you update the hosts (hypervisors) to prevent VM escape where another guest on the same host may browse memory regions used by our infrastructure. Only updates to the hosts can protect the guests from these exploits, as a guest OS update will not suffice to protect against another compromised guest. It is the customer’s responsibility to apply updates relevant to their infrastructure. PZENs are not vulnerable as they are running on dedicated hardware and should not allow an attacker to execute arbitrary code on them.