CPU Multiple Vulnerabilities (aka Meltdown and Spectre)
Multiple Vulnerabilities were identified in CPUs, a remote attacker can exploit these vulnerabilities to bypass security restriction and get sensitive information from the targeted system. They work on personal computers, mobile devices, and in the cloud.
Variant 2: branch target injection (CVE-2017-5715, also Spectre)
Variant 3: rogue data cache load (CVE-2017-5754, Meltdown)
Available Patches
Please note that:
Some patches may affect the performance of the system, so before installing the patches, please visit hardware and software vendor website for more detail information and get appropriate patches.
Patches will be provided by each vendor and might be applicable to some specific version only.
Make sure the database of anti-virus software is updated to be compatible with new Microsoft patches.
(for example, for Windows 7/2008 https://support.microsoft.com/en-us/help/4056894/windows-7-update-kb4056894)
“Due to an issue with some versions of Anti-Virus software, this fix is only being made applicable to the machines where the Anti virus ISV have updated the ALLOW REGKEY.”
You can check if HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat\cadca5fe-87d3-4b96-b7fb-a231484277cc is exist or not.
DO NOT manually add this key. It must be added by compatible Anti-Virus software.
For example, the follow command:
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat\cadca5fe-87d3-4b96-b7fb-a231484277cc
Should return “(Default) REG_DWORD 0x0” for compatible Anti-virus software.
Information about Meltdown and Spectre findings (PAN-SA-2018-0001) “Palo Alto Networks is aware of recent vulnerability disclosures, known as Meltdown and Spectre, that affect modern CPU architectures. Preliminary findings conclude that these vulnerabilities pose no increased risk to Palo Alto Networks PAN-OS devices. (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754).”
“There are no immediate plans to release a software update to PAN-OS in response to these issues at this time.”
New IPS signature on 5 Jan to prevent CPU speculative execution was released. Enable IPS function and update latest Fortiguard signature.
The new signature is “CPU.Speculative.Executive.Timing.Information.Disclosure”
For Fortinet Firewall OS & other products:
FortiOS and some other Fortinet products are designed to not permit arbitrary code execution in the user space under regular conditions. The impacts to Fortinet products is still under investigation.