Here is a list of vulnerabilities detected in 2023:

Escalation of privilege for some Intel processors

On November 14th, 2023, Intel disclosed a vulnerability in its recent computer processor microarchitecture. This vulnerability, known as Redundant REX Prefix, may allow an attacker to confuse the system, resulting in unpredictable behavior. If an attacker successfully exploits this vulnerability, they could crash or hang the target system and, in some scenarios, allow an escalation of privilege, which may allow an attacker to obtain sensitive information from the system. This vulnerability is assigned CVE ID CVE-2023-23583 and has been given a high severity of 8.8 score by Intel.

Impacted IONOS Cloud products

What action has IONOS Cloud taken to mitigate the severity?

IONOS Cloud is committed to the privacy and security of our customers' data. We have already completed the required steps to mitigate this vulnerability by upgrading the affected systems' firmware. IONOS Cloud owns the patching responsibility, and no action is required from the customer.

How can I get help?

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.

Information disclosure in Intel processors

On August 8th, 2023, Intel disclosed a vulnerability in its recent computer processor microarchitecture. This vulnerability, known as "Gather Data Sampling (GDS)" or "Downfall", may allow an attacker to obtain sensitive information from a system. This vulnerability is assigned CVE ID as CVE-2022-40982 and has been given a medium severity by Intel.

What is the vulnerability?

CVE-2022-40982 is a transient execution side-channel vulnerability that affects Intel® Core processors from the 6th Generation (Skylake) to the 11th Generation (Tiger Lake). It allows an attacker with local access to infer stale data from previously used vector registers on the same physical core. A detailed description can be found in the “Downfall: Exploiting Speculative Data Gathering” paper.

What is the risk?

If an attacker is able to exploit this vulnerability, they could potentially exfiltrate information contained within different security contexts (i.e., other virtual machines or even the host device).

Impacted IONOS Cloud products

What action has IONOS Cloud taken to mitigate the severity?

IONOS Cloud is committed to the privacy and security of our customers' data. We are aware of this vulnerability and have already initiated the required steps to mitigate this vulnerability. We are also investigating the exposure and risk of this vulnerability for our customer’s products and instances.

We will provide necessary updates as we learn more.

How can I get help?

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.

Sensitive information disclosure due to speculative side-channel attack

On August 8th, 2023, Advanced Micro Devices (AMD) disclosed a vulnerability in its recent computer processor microarchitecture. This vulnerability, known as the Return Form Procedure (RET) Speculation or Inception, may allow an attacker to obtain sensitive information from a system.

If an attacker can exploit this vulnerability, they could potentially exfiltrate information contained within different security contexts such as other Virtual Machines (VM) or even the host device.

The CVE ID CVE-2023-20569 is assigned to this vulnerability and classified as a medium severity by AMD.

Impacted IONOS Cloud products

What action has IONOS Cloud taken to mitigate the severity?

IONOS Cloud is committed to the privacy and security of our customers' data. We are aware of this vulnerability and have already initiated the required steps to mitigate this vulnerability. We are also investigating the exposure and risk of this vulnerability for our customer’s products and instances.

We will provide necessary updates as we learn more.

How can I get help?

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.

Local privilege escalation due to DLL hijacking

On October 9, 2023, Acronis disclosed another vulnerability in its Acronis Agent for Windows. The vulnerability can be fixed by upgrading to build version 36497.

Impacted IONOS Cloud products

What action has IONOS Cloud taken to mitigate the severity?

The IONOS Cloud team constantly communicates with Acronis and will soon allow customers to download the patched Windows agent. Acronis has ensured no active sign of exploitation, and IONOS Cloud customer backups do not have an impact due to this vulnerability. For more information, see Acronis Cyber Protect Cloud Agent update C23.10.

IONOS Cloud will publish the non-vulnerable versions of agents when Acronis shares the information, estimated to be by the end of November 2023.

How can I get help?

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.

Sensitive information disclosure and manipulation due to missing authorization

On October 9, 2023, Acronis disclosed a vulnerability in its Acronis Agent for Linux, Mac, and Windows. This vulnerability may allow an unauthorized attacker to view and manipulate antivirus and antimalware protection plans applied to a specific agent. CVE-2023-45247 ID has been assigned to this vulnerability and classified as having high severity.

Impacted IONOS Cloud products

What action has IONOS Cloud taken to mitigate the severity?

IONOS and Acronis are in constant communication to gain a deeper understanding of this vulnerability and also ensure that:

• There are no signs of active exploitation resulting from the vulnerability. For more information, see Acronis Cyber Protect Cloud Agent update C23.10.

• The vulnerability does not allow unauthorized access to IONOS Cloud customers’ backup data. IONOS Cloud will publish the non-vulnerable versions of agents when Acronis shares the information, estimated to be by the end of November 2023.

How can I get help?

If you have further questions or concerns about this vulnerability, contact IONOS Cloud Support.