PSIRT Advisory

BranchScope: New CPU Side-Channel Attack

Summary

A new side-channel attack that takes advantage of the speculative execution feature of modern processors to recover data from targeted users' CPUs has been disclosed (http://www.cs.ucr.edu/~nael/pubs/asplos18.pdf). It targets the "branch prediction" operations —which is the same part of a CPU speculative execution process as the one targeted by "Spectre variant 2". However, while "Spectre 2" exploits the Branch Target Buffer (BTB), BranchScope exploits the Directional Branch Predictor (DBP).

Impact

Information Disclosure, Privilege Escalation

Affected Products

Fortinet is aware of the disclosure of the BranchScope vulnerability and has performed an initial assessment of its relevance to Fortinet products.

That initial assessment shows that BranchScope is similar to the Spectre attack variant 2, and the following product may run affected processors:

FortiOS
FortiAP
FortiAnalyzer
FortiSwitch

In any case, that does not mean, however, that these products are exploitable. See details in "Solutions" below.

Solutions

As the aforementioned products, by design, do  not allow arbitrary code to run in  user space, another (unrelated to BranchScope) remote or local code execution vulnerability against our products would be needed to leverage this attack; such a code execution vulnerability would actually be more severe than the BranchScope vulnerability itself.  We are not aware of such a vulnerability on the aforementioned products.

To reduce the possibility of the existence of a "local or remote code execution vulnerability" (as referred to above), upgrading to our latest publicly available software version is recommended.

Furthermore, the information contained in the initial disclosure document shows that only 3 types of Intel x86_64 processors - Sandy Bridge, Haswell, and Skylake - were proven to be successfully exploitable by BranchScope.

FortiOS users can check the CPU model of their unit by running the following CLI command:

# get hardware status
Model name: FortiGate-XXX
CPU: {CPU model info}

If the CPU model info is not among the processors mentioned above, then the risk for the FortiGate appliance is even lower.

Note also that:

* There is no PoC attack code disclosed at the moment.
* Intel has not issued any official disclaimer.
* Fortinet PSIRT will continue to monitor the possible further developments regarding the BranchScope vulnerability, and update this document if needed.

Update History:
04-02-2018 Initial assessment.