PSIRT Advisory

CPU hardware vulnerable to Meltdown and Spectre attacks

Summary

A new type of side channel attacks impact most processors including Intel, AMD and ARM. The attack allows malicious userspace processes to read kernel memory, thus potentially causing kernel sensitive information to leak. These vulnerabilities are referred to as Meltdown and Spectre.

Spectre attack:
CVE-2017-5753: Variant 1, bounds check bypass
CVE-2017-5715: Variant 2, branch target injection

Meltdown attack:
CVE-2017-5754: Variant 3, rogue data cache load

Impact

Information Disclosure, Privilege Escalation

Affected Products

The impacts to Fortinet products is still under investigation.

Solutions

* Fortinet Products Assessment:

All related CVEs are "Information Disclosure" and "Privilege Escalation" type of vulnerabilities. The following Fortinet products are designed to not permit arbitrary code execution in the user space under regular conditions:

FortiOS
FortiAnalyzer
FortiSwitch
FortiAP
FortiManager
FortiMail
FortiWeb

Other products that have been addressed have same design feature as above:

FortiPortal
FortiAuthenticator
FortiVoice
FortiRecorder
AscenLink

For more products assessment, please refer to your local TAC.

A Meltdown and/or Spectre attack is only possible on potentially affected products (among the above) if the attack is combined with an additional local or remote code execution vulnerability, unrelated to these two issues - Meltdown and Spectre can then aggravate the situation, if such vulnerabilities exist and are successfully exploited.

To lower your attack risk to Meltdown/Spectre and reduce the possibility of an "already existing local or remote code execution vulnerability" (as referred to above), upgrading to our latest publicly available software version is highly recommended.

* UPDATE on Microsoft Security Advisory ADV180002 support:

FortiClient Windows versions 5.4.5 or 5.6.4 (Released on Jan 8, 2018) are fully compatible with security updates mentioned in Microsoft advisory ADV180002, which addresses the issue in MS Windows.

Instructions to make older versions of FortiClient Windows compatible with the aforementioned Microsoft security updates can be found in the Fortinet Knowledge base article: http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD40946

* UPDATE on VMware patch:

We advise our customers running multiple Fortinet VM appliances under VMware to update the latter with the following patch: https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html , and https://www.vmware.com/us/security/advisories/VMSA-2018-0004.html ,which addresses CVE-2017-5753, CVE-2017-5715 (Spectre attack), in order to ensure the instances remain secluded from each other (and from other processes in the host system).

Update History:
01-04-2018 Initial version.
01-10-2018 Update Microsoft Security Advisory ADV180002 support.
01-10-2018 Add VMware advisory patch VMSA-2018-0002 suggestion.
01-17-2018 Add VMware advisory patch VMSA-2018-0004 suggestion.