Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pfuller
New Contributor

Meltdown/Spectre impact?

Do we have a general idea of the impact of the recent processor vulnerabilities to fortinet systems, specifically in my case a FortiADC 200D?  Do we have a timeframe of patches being available in the meantime?

1 Solution
RobertReynolds

FortiClient 5.6.4 released today to address the Meltdown patch for Windows..

 

My Windows10 is on fasttrack so I think I already got patched for Meltdown in the December build

View solution in original post

10 REPLIES 10
tanr
Valued Contributor II

The Windows 10 patch for Meltdown isn't getting installed automatically on any Windows systems we have that are running FortiClient 5.6.3.  We're not running EMS.  Trying to run a local windows update says there aren't any updates.

 

Per Microsoft's description of this at https://support.microsoft.com/sw-ke/help/4056892/windows-10-update-kb4056892 it might mean that MS is seeing FortiClient as AV software that isn't compatible with the patch.  But the registry key the KB refers to is properly set on those systems.

 

Anybody else seeing issues with installing the Windows 10 patch (KB4056891 or KB4056892 I think) on systems with FortiClient 5.6.3?  Or anybody successfully installed the patch on Windows 10 systems with FortiClient 5.6.3?

NickKS
New Contributor

Same issue

yamonwi
New Contributor

Same question

seadave
Contributor III

We noticed CPU util jumped with AV update 2.92730 in 1/1/18 and are wondering if this is related.

 

 

 

tanr
Valued Contributor II

Windows 10 allowed the Meltdown patch to install after I removed FortiClient 5.6.3 from the machine.

 

EDIT: Note that the registry key Microsoft requires was properly set on the system but it still wouldn't update until I removed FortiClient.

 

Actually a bit messier than that.  Just unregister of the FortiClient, stop services, and uninstall (with reboot) wasn't sufficient.  Running FCRemove.exe also not sufficient.  Removing the directories the uninstall had left behind also didn't do it.  Finally had to hunt through registry entries and do some of the cleanup by hand before Windows considered FortiClient gone enough to allow the patch.  Ugh.  I really hope those of you managing lots of FortiClients through EMS have an easier way to deal with this, or that my case was a fluke.

 

Danielx64
New Contributor

A quick search is leading me to this: http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD40946

 

FortiClient compatibility with the Microsoft Security update of January 3, 2018 - Meltdown Products FortiClient v5.4 FortiClient v5.6  Description Microsoft released a security update on January 3, 2018 to insure compatibility of a Windows updates related to CPU security flaw (Meltdown) with anti-virus software products (see Microsoft Security Bulletin KB4072699). Fortinet tested the latest active FortiClient software versions 5.4.4 and 5.6.3 and found them fully compatible with Microsoft's January 2018 Security Update. It safe to use these versions with the security update. Solution Microsoft requires that the following registry key exist on all compatible systems, even if there is no AV product installed: Key="HKEY_LOCAL_MACHINE"Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat" Value Name="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD” Data="0x00000000” With the latest active FortiClient versions 5.4.4 and 5.6.3, it will be required to add this key manually, or using Group Policy, in order to receive the January 3, 2018 security update. Fortinet will release new versions of FortiClient prior to January 9, which will add the required registry key automatically.

neonbit
Valued Contributor

Fortinet have a PSIRT tracking this here: https://fortiguard.com/psirt/FG-IR-18-002

 

Best to check up on it to see when there's an update.

droehrig
New Contributor II

So just found out that you cannot install 5.6.3  or earlier with the KB4056892 installed. Just tested it on 3 different machines. Two machines have the update and one did not. The two with the update failed to install (stops and hangs at installing drivers). The one without the patch flies through with no problem. So sounds like to me that the Forticlient program is not on the approved/compatible list. Anyone else having this problem?

 

Would appreciate input and advice

 

Donna

RobertReynolds

FortiClient 5.6.4 released today to address the Meltdown patch for Windows..

 

My Windows10 is on fasttrack so I think I already got patched for Meltdown in the December build

Top Kudoed Authors