CPU Meltdown and Spectre class attacks

Summary

New types of side channel attacks impact most processors including Intel, AMD, ARM, etc. These attacks allow malicious userspace processes to read kernel memory, thus potentially causing kernel sensitive information to leak.


These attacks are referred to as Meltdown and Spectre class vulnerabilities, and variants of them:


o CVE-2017-5753 Variant 1, Bounds Check Bypass (Spectre BCB)
o CVE-2017-5715 Variant 2, Branch Target Injection (Spectre BTI)
o CVE-2017-5754 Variant 3, Rogue Data Cache Load (Meltdown RDCL)
o CVE-2018-3640 Variant 3a, Rogue System Register Read (Spectre-NG RSRE)
o CVE-2018-3639 Variant 4: Speculative Store Bypass (Spectre-NG SSB)
o CVE-2018-3665 Lazy FP state restore (Spectre-NG LazyFP)
o CVE-2018-3693 Spectre 1.1: Bounds Check Bypass Store (Spectre-NG BCBS)
o CVE unknown: Spectre 1.2: Read-only Protection Bypass (RPB)
o CVE unknown: Other Spectre-NG flaws (Spectre-NG)
o CVE unknown: Attack against Return Stack Buffer (SpectreRSB)
o CVE-2017-5753 Remote PoC attack on Spectre Variant 1 (NetSpecture)
o CVE unknown: Attack against Branch Prediction Units (BranchScope)
o CVE-2018-3615 L1 Terminal Fault: SGX (Foreshadow)
o CVE-2018-3620 L1 Terminal Fault: OS/SMM (Foreshadow-NG)
o CVE-2018-3646 L1 Terminal Fault: VMM (Foreshadow-NG)
o CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM) (ZombieLoad)
o CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling (MFBDS) (ZombieLoad)
o CVE-2018-12127: Microarchitectural Load Port Data Sampling (MLPDS) (ZombieLoad)
o CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS) (ZombieLoad)
o CVE-2019-1125 SWAPGS Spectre Side-Channel Vulnerability (SWAPGS)

Affected Products

The following products run processors that may be affected by Meltdown/Spectre and variants; they are not, however, directly exploitable:
FortiOS
FortiAP
FortiSwitch
FortiAnalyzer
Indeed Fortinet products are designed to not permit arbitrary code execution in the user space under regular conditions. Thus Meltdown/Spectre attacks and their variants are only possible if the attack is combined with an additional local or remote code execution vulnerability, unrelated to these two issues - Meltdown and Spectre can then aggravate the situation, if such vulnerabilities exist and are successfully exploited.

Solutions

To reduce the risk of being exposed to a Meltdown/Spectre class vulnerability and reduce the possibility of an "already existing local or remote code execution vulnerability", upgrading to our latest publicly available software version is recommended. Due to the fact the OS kernel patch, by nature, slows the performance down, and considering the low risk, OS kernel patches may be produced and update details, if have any, will be given in product release notes. Please note that in any case, any vulnerability (Local code execution or remote code execution) that would enable the exploitability of Spectre/Meltdown class vulnerabilities will always be treated as a high/critical severity vulnerability, and swiftly fixed. Mitigation Customers are suggested to upgrade to the following listed branches and versions (newer branches preferred): FortiOS upgrade to 5.6.3, 6.0.0 or newer versions FortiAP upgrade to 5.6.5, 6.0.2 or newer versions FortiSwitch upgrade to 3.6.3, 4.0.0 or newer versions FortiAnalyzer upgrade to 5.6.6, 6.0.2 or newer versions Update History 01-04-2018 Initial version. 01-18-2018 Final assessment. 05-22-2018 Remove other vendors (Microsoft Windows/VMware) patch info. 05-22-2018 Included variant v3a, v4 and Spectre-ng vulnerabilities. 07-12-2018 Included LazyFP, variant v1.1 and v1.2 08-01-2018 Included SpectreRSB and NetSpecture 08-16-2018 Included BranchScope, Foreshadow and Foreshadow-NG 11-22-2018 Added product mitigation suggestions. 05-24-2019 Included Intel ZombieLoad Side-Channel Attacks 08-26-2019 Included SWAPGS Spectre Side-Channel Vulnerability