Fortinet Advisory on New Spectre and Meltdown Vulnerabilities

Earlier this week, it was announced that researchers uncovered two new side channel attacks that exploit newly discovered vulnerabilities found in most CPU processors, including those from Intel, AMD, and ARM. These vulnerabilities allow malicious userspace processes to read kernel memory, thereby potentially causing sensitive kernel information to leak. These vulnerabilities are known as Meltdown and Spectre.

Fortinet’s PSIRT team is actively conducting an extensive review to determine the potential impact to Fortinet solutions, and at this time has classified the risk to Fortinet products as low. Meltdown and Spectre are “Information Disclosure” and “Privilege Escalation” types of vulnerabilities. An attack is only possible on devices when combined with an additional, unrelated local or remote code execution vulnerability.

In the meantime, to lower your attack risk to Meltdown/Spectre we strongly recommend upgrading to our latest publicly available software versions. Updates for our various products can be found here.

We will continue to monitor the situation and provide additional updates as new information comes to light. You can read the latest advisory from the PSIRT team here. You can also find additional information about these vulnerabilities on the Common Vulnerabilities and Exposures website.

CVEs:

Spectre attack: CVE-2017-5753, CVE-2017-5715

Meltdown attack: CVE-2017-5754