Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.1899.2
Meltdown and Spectre class vulnerabilities
27 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: FortiOS
FortiAP
FortiSwitch
FortiAnalyzer
Publisher: Fortiguard
Operating System: Network Appliance
Impact/Access: Access Privileged Data -- Existing Account
Increased Privileges -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2019-11091 CVE-2018-12130 CVE-2018-12127
CVE-2018-12126 CVE-2018-3693 CVE-2018-3665
CVE-2018-3646 CVE-2018-3640 CVE-2018-3639
CVE-2018-3620 CVE-2018-3615 CVE-2017-5754
CVE-2017-5753 CVE-2017-5715
Reference: ASB-2019.0138
ASB-2019.0109
ESB-2019.1879
ESB-2019.1818
Original Bulletin:
https://fortiguard.com/psirt/FG-IR-18-002
Revision History: August 27 2019: Vendor added information about
SWAPGS vulnerability
May 27 2019: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Meltdown and Spectre class vulnerabilities
IR Number : FG-IR-18-002
Date : Jan 04, 2018
Risk : 2/5
Impact : Information Disclosure, Privilege Escalation
CVE ID : CVE-2017-5753, CVE-2017-5715, CVE-2017-5754, CVE-2018-3615,
CVE-2018-3620, CVE-2018-3639, CVE-2018-3640, CVE-2018-3646, CVE-2018-3665,
CVE-2018-3693, CVE-2019-11091, CVE-2018-12130, CVE-2018-12127, CVE-2018-12126,
CVE-2019-1125
Summary
New types of side channel attacks impact most processors including Intel, AMD,
ARM, etc. These attacks allow malicious userspace processes to read kernel
memory, thus potentially causing kernel sensitive information to leak.
These attacks are referred to as Meltdown and Spectre class vulnerabilities,
and variants of them:
o CVE-2017-5753 Variant 1, Bounds Check Bypass (Spectre BCB)
o CVE-2017-5715 Variant 2, Branch Target Injection (Spectre BTI)
o CVE-2017-5754 Variant 3, Rogue Data Cache Load (Meltdown RDCL)
o CVE-2018-3640 Variant 3a, Rogue System Register Read (Spectre-NG RSRE)
o CVE-2018-3639 Variant 4: Speculative Store Bypass (Spectre-NG SSB)
o CVE-2018-3665 Lazy FP state restore (Spectre-NG LazyFP)
o CVE-2018-3693 Spectre 1.1: Bounds Check Bypass Store (Spectre-NG BCBS)
o CVE unknown: Spectre 1.2: Read-only Protection Bypass (RPB)
o CVE unknown: Other Spectre-NG flaws (Spectre-NG)
o CVE unknown: Attack against Return Stack Buffer (SpectreRSB)
o CVE-2017-5753 Remote PoC attack on Spectre Variant 1 (NetSpecture)
o CVE unknown: Attack against Branch Prediction Units (BranchScope)
o CVE-2018-3615 L1 Terminal Fault: SGX (Foreshadow)
o CVE-2018-3620 L1 Terminal Fault: OS/SMM (Foreshadow-NG)
o CVE-2018-3646 L1 Terminal Fault: VMM (Foreshadow-NG)
o CVE-2019-11091: Microarchitectural Data Sampling Uncacheable Memory (MDSUM)
(ZombieLoad)
o CVE-2018-12130: Microarchitectural Fill Buffer Data Sampling (MFBDS)
(ZombieLoad)
o CVE-2018-12127: Microarchitectural Load Port Data Sampling (MLPDS)
(ZombieLoad)
o CVE-2018-12126: Microarchitectural Store Buffer Data Sampling (MSBDS)
(ZombieLoad)
o CVE-2019-1125 SWAPGS Spectre Side-Channel Vulnerability (SWAPGS)
Impact
Information Disclosure, Privilege Escalation
Affected Products
The following products run processors that may be affected by Meltdown/Spectre
and variants; they are not, however, directly exploitable:
FortiOS
FortiAP
FortiSwitch
FortiAnalyzer
Indeed Fortinet products are designed to not permit arbitrary code execution in
the user space under regular conditions. Thus Meltdown/Spectre attacks and
their variants are only possible if the attack is combined with an additional
local or remote code execution vulnerability, unrelated to these two issues -
Meltdown and Spectre can then aggravate the situation, if such vulnerabilities
exist and are successfully exploited.
Solutions
To lower your attack risk to Meltdown/Spectre and reduce the possibility of an
"already existing local or remote code execution vulnerability", upgrading to
our latest publicly available software version is highly recommended.
Due to the fact the OS kernel patch, by nature, slows the performance down, and
considering the low risk, OS kernel patches may be produced and update details,
if have any, will be given in product release notes.
Please note that in any case, any vulnerability (Local code execution or remote
code execution) that would enable the exploitability of Spectre/Meltdown class
vulnerabilities will always be treated as a high/critical severity
vulnerability, and swiftly fixed.
Mitigation
Customers are suggested to upgrade to the following listed branches and
versions (newer branches preferred):
FortiOS upgrade to 5.6.3, 6.0.0 or newer versions
FortiAP upgrade to 5.6.5, 6.0.2 or newer versions
FortiSwitch upgrade to 3.6.3, 4.0.0 or newer versions
FortiAnalyzer upgrade to 5.6.6, 6.0.2 or newer versions
Update History
01-04-2018 Initial version.
01-18-2018 Final assessment.
05-22-2018 Remove other vendors (Microsoft Windows/VMware) patch info.
05-22-2018 Include variant v3a, v4 and Spectre-ng vulnerabilities.
07-12-2018 Include LazyFP, variant v1.1 and v1.2
08-01-2018 IncludeSpectreRSB andNetSpecture
08-16-2018 Include BranchScope, Foreshadow and Foreshadow-NG
11-22-2018 Add product mitigation suggestions.
05-24-2019 Included Intel ZombieLoad Side-Channel Attacks
08-26-2019 Included SWAPGS Spectre Side-Channel Vulnerability
References
o https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability)
o https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)
o https://foreshadowattack.eu/
o https://zombieloadattack.com/
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXWSETmaOgq3Tt24GAQjhHBAAmCwioC2DxjAJ2xO3zAfXtU/vcPv5zYB8
9OzETA8s7CYsoO5yqpC4UGmHnFrr0XqS9z6C1XqyEjkuUurHocguvbu2PQwpeiNq
/t9CoCg9RfUgefV+O1Q49F10L0YkpkTU+FGu1MjodU6KPRwZ8KpPNKEPm86EPeQn
VY2zKPD13gxgX9x7AxURlNEHqxEjnE8o8ifInkOIOWIFMf+iGGNz+Ty9b5xYQl79
T1JbmdGEHa8a/mlLZE61pIaee5PCcM6kHFaMnzY+Cr+2TcOm4rOkbylxPABGfjbA
eD0Cgz5Ahkd6BQqDU9KzwZtx4HOVyFogKiC6laKradIhIA7/JUUoeC24gjav1WSJ
LsVtKVdeZkN4WLGM9syyH1osFIJSt8LWx4S2OokhWM4bSM1We/z82w0KoTZWqj8H
kDyEAy1CnQGS9pd9PHdCNpX4+y9L0UAAk9ZgPtRkr5DKW4V6iEEt4h6FWWu1yOdg
m1EcX4U/Cp8VvW+yM2vgaGkFbGueAukhpl3j5qHycWhs1WFD8eDvzhCZ4HZgh1Y2
iqUBM36zd+L/I8sBEtw7ByhTQSs70nzadNc6+hx7ik3S/CtBn2gOxnIUxzlbM1z3
2fb/waT0bZJWZIbbhRFFeC7voV4zzLpdF03sy5DlwDOeVXTJHhy63Uh5Hnj3iW8d
FGm1MdRLvV0=
=Pmhc
-----END PGP SIGNATURE-----