PSIRT Advisory

CPU hardware vulnerable to Meltdown and Spectre attacks

Summary

A new type of side channel attacks impact most processors including Intel, AMD and ARM. The attack allows malicious userspace processes to read kernel memory, thus potentially causing kernel sensitive information to leak. These vulnerabilities are referred to as Meltdown and Spectre.

Spectre attack:
CVE-2017-5753: Variant 1, bounds check bypass
CVE-2017-5715: Variant 2, branch target injection

Meltdown attack:
CVE-2017-5754: Variant 3, rogue data cache load

Impact

Information Disclosure, Privilege Escalation

Affected Products

The following products run processors affected by the Meltdown/Spectre vulnerability:

FortiOS
FortiAP
FortiSwitch
FortiAnalyzer

That does not mean, however, that these products are exploitable. See details "Solutions" below.

Solutions

All related CVEs are "Information Disclosure" and "Privilege Escalation" type of vulnerabilities. The following Fortinet products are designed to not permit arbitrary code execution in the user space under regular conditions:

FortiOS
FortiAnalyzer
FortiSwitch
FortiAP
FortiManager
FortiMail
FortiWeb
FortiPortal
FortiAuthenticator
FortiVoice
FortiRecorder
AscenLink
FortiDDoS

Please refer to your local TAC for further questions.

A Meltdown and/or Spectre attack is only possible on potentially affected products (among the above) if the attack is combined with an additional local or remote code execution vulnerability, unrelated to these two issues - Meltdown and Spectre can then aggravate the situation, if such vulnerabilities exist and are successfully exploited.

To lower your attack risk to Meltdown/Spectre and reduce the possibility of an "already existing local or remote code execution vulnerability" (as referred to above), upgrading to our latest publicly available software version is highly recommended.

* UPDATE on Microsoft Security Advisory ADV180002 support:

FortiClient Windows versions 5.4.5 or 5.6.4 (Released on Jan 8, 2018) are fully compatible with security updates mentioned in Microsoft advisory ADV180002, which addresses the issue in MS Windows.

Instructions to make older versions of FortiClient Windows compatible with the aforementioned Microsoft security updates can be found in the Fortinet Knowledge base article: http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD40946

* UPDATE on VMware patch:

We advise our customers running multiple Fortinet VM appliances under VMware to update the latter with the following patch: https://www.vmware.com/us/security/advisories/VMSA-2018-0002.html , and https://www.vmware.com/us/security/advisories/VMSA-2018-0004.html ,which addresses CVE-2017-5753, CVE-2017-5715 (Spectre attack), in order to ensure the instances remain secluded from each other (and from other processes in the host system).

* UPDATE on Patching Plan:

Regarding the products assessed above (for which exploiting Meltdown/Spectre would be potentially feasible only by leveraging additional and unrelated exploitable local or remote code execution vulnerabilities), Fortinet is still evaluating an OS kernel patch plan.

Indeed, due to the fact the OS kernel patch, by nature, slows the performance down, and considering the low risk, OS kernel patches may be produced; Updates will be provided here, and details will be given in product release notes.

Please note that in any case, any vulnerability (Local code execution or remote code execution) that would enable the exploitability of Spectre/Meltdown will always be treated as a high/critical severity vulnerability, and swiftly fixed.

Update History:
01-04-2018 Initial version.
01-10-2018 Update Microsoft Security Advisory ADV180002 support.
01-10-2018 Add VMware advisory patch VMSA-2018-0002 suggestion.
01-17-2018 Add VMware advisory patch VMSA-2018-0004 suggestion.
01-22-2018 Final assessment, Affected Products update.