Are VDI environments vulnerable to Meltdown and Spectre?

By | March 2, 2018

Are VDI Environments Affected by Meltdown and Spectre?

VDI environments can be affected when taking into consideration the hardware platform used to connect to the backend VDI environment, the hypervisor, as well as the guest operating system presented via the hypervisor. As an example, many VDI environments are running Microsoft Windows virtual machines for which Microsoft has released patches to change how user and kernel mode code is allowed to interact. However, there are facets of VDI architecture that help mitigate the effects of Meltdown and Spectre attack surfaces. Let’s take a look at what those are.

VDI Environments Help Mitigate Meltdown and Spectre Attack Surfaces

When it comes to securing a VDI environment, the security is only as good as the person or team that configured the solution, including a VDI solution. However, VDI solutions holds definite architectural advantages that can help when we think specifically about the Meltdown and Spectre exploits and the patching process involved to remediate the vulnerabilities. The key advantages with VDI as relates to Meltdown and Spectre are as follows:

  • Centralized Management of compute resources and backend virtual machines provides better tooling and automated means of patch management.
    • Having a means to effectively patch and remediate security vulnerabilities can be much easier to accomplished with VDI solutions as resources are maintained centrally. After the single “Gold Image” is patched with the recommended Microsoft Meltdown and Spectre patches, all the resulting virtual machines provisioned will by default be patched.
    • Patching the underlying hypervisor generally requires no downtime as VMs are simply shifted around to alternate compute and memory resources.
  • Information that is processed is the output of virtual machines.
    • By design, VDI processes the output of the underlying virtual machines. There is the abstraction layer that helps to create a barrier between an attacker and potentially interacting with the thin client CPU.
  • Thin Client devices and Thin Client OS software are highly customized packages that by their nature provide a much more restricted environment to attempt an exploit of speculative execution. VDI software running on top of a thin client such as Praim ThinOX, are stripped down and customized operating systems that are more difficult to exploit when trying to compromise any underlying speculative execution processes.
  • Many vendors like Praim have centralized management of thin client hardware that makes operations such as BIOS updates and other firmware upgrades highly automated and efficient.
    • By using ThinMan Server, Praim provides powerful control of thin client devices.  This allows installing new firmware and security updates to the ThinOX operating system.

Specific vendors of certain thin clients interoperating with VDI environments have noted their systems are not vulnerable to the Meltdown and Spectre CPU exploits. As an example, Teradici PCoIP zero client endpoints remain secure. Vendors utilizing the Teradici models such as the Praim P Series which make use of the Teradici TERA2321 PCoIP and Teradici TERA2140 PCoIP, are totally secure.

Additionally, many organizations running Windows thin clients have noted the patches issued by Microsoft have been very heavy from a disk usage standpoint. This has resulted in some experiencing disk space issues on certain thin clients running Microsoft Windows. By utilizing a very small footprint purpose-built VDI operating system such as Praim ThinOX4PC, businesses can alleviate disk space issues that come with patching their Windows based thin clients. On those devices, simply installing ThinOX4PC allows utilizing the same hardware while eliminating the need to install the heavy Microsoft kernel software patches.


Read the original article at: