CPU Multiple Vulnerabilities (aka Meltdown and Spectre)

• Make sure the OS version are at least (https://support.apple.com/en-hk/HT208394):
  • iOS 11.2
  • macOS 10.13.2
  • tvOS 11.2
• New patches 11.0.2 for Safari is available.

• For Windows:
  • First need to make sure the Anti-Virus software is ready (see below), then install the January 2018 Windows operating system security update. (For details: https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software)
  • If the Anti-Virus software is not ready, the specific patch will not be installed.
• For Server OS:
  • the protection must be manually enable even if the patches are installed (For details: https://support.microsoft.com/en-us/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution)

• Make sure the database of anti-virus software is updated to be compatible with new Microsoft patches.
  (for example, for Windows 7/2008 https://support.microsoft.com/en-us/help/4056894/windows-7-update-kb4056894)
  “Due to an issue with some versions of Anti-Virus software, this fix is only being made applicable to the machines where the Anti virus ISV have updated the ALLOW REGKEY.”
• You can check if HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat\cadca5fe-87d3-4b96-b7fb-a231484277cc is exist or not.
• DO NOT manually add this key. It must be added by compatible Anti-Virus software.
• For example, the follow command:
  reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat\cadca5fe-87d3-4b96-b7fb-a231484277cc
  Should return “(Default) REG_DWORD 0x0” for compatible Anti-virus software.

• Update database released on 28 Dec 2017 or later to enable the registry key. Details refer tohttps://support.kaspersky.com/14042.

• Make sure Application and Threat Content (Version 763) is installed.

For PA Firewall OS – PAN-OS/Panorama:

• Palo Alto Networks Security Advisory (https://securityadvisories.paloaltonetworks.com/)
• Information about Meltdown and Spectre findings (PAN-SA-2018-0001) “Palo Alto Networks is aware of recent vulnerability disclosures, known as Meltdown and Spectre, that affect modern CPU architectures. Preliminary findings conclude that these vulnerabilities pose no increased risk to Palo Alto Networks PAN-OS devices. (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754).”
  “There are no immediate plans to release a software update to PAN-OS in response to these issues at this time.”

• New IPS signature on 5 Jan to prevent CPU speculative execution was released. Enable IPS function and update latest Fortiguard signature.
• The new signature is “CPU.Speculative.Executive.Timing.Information.Disclosure”

For Fortinet Firewall OS & other products:

• FortiOS and some other Fortinet products are designed to not permit arbitrary code execution in the user space under regular conditions. The impacts to Fortinet products is still under investigation.
• FortiGuard Advisory (https://fortiguard.com/psirt/FG-IR-18-002).

• Please refer to Windows Server above.

• VMware ESXi, Workstation and Fusion updates address side-channel analysis due to speculative execution (with patch VMSA-2018-0002.1).
• VMware vSphere, Workstation and Fusion updates add Hypervisor-Assisted Guest Remediation for speculative execution issue (with patch VMSA-2018-0004).