NickTheGreek 160 Report post Posted January 8, 2018 How to check Linux for Spectre and Meltdown vulnerability Posted onJanuary 8, 2018in CategoriesCentOS, Debian / Ubuntu, Linux, RedHat and Friends,Security, Suse last updated January 8, 2018 How do I check if my Linux server is still vulnerable to Spectre and Meltdown CPU bugs? Spectre & Meltdown Checker is a shell script that check for the following Intel/AMD/ARM and other CPUs for bugs: CVE-2017-5753: bounds check bypass (Spectre Variant 1). You need to recompile software and kernel with a modified compiler that introduces the LFENCE opcode at the proper positions in the resulting code. The performance impact of the mitigation is negligible. CVE-2017-5715: branch target injection (Spectre Variant 2). The performance impact of the mitigation depending on your CPU. CVE-2017-5754: rogue data cache load (Meltdown). You must install updated kernel version with PTI/KPTI patches. Updating the kernel is enough. The performance impact of the mitigation is low to medium. spectre-meltdown-checker.sh is a simple shell script to find out if your Linux kernel (installation) is vulnerable against the 3 “speculative execution” CVEs. Use this script to check or see if you are still vulnerable to Meltdown and Spectre CPU bugs after applying kernel patches. Installation The script must be run as root user. You can view source code here. Use the wget command or curl command to grab the source code on your Linux box:$ cd /tmp/ $ wget https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh OR$ git clone https://github.com/speed47/spectre-meltdown-checker.git Sample outputs: Cloning into 'spectre-meltdown-checker'... remote: Counting objects: 155, done. remote: Compressing objects: 100% (20/20), done. remote: Total 155 (delta 18), reused 21 (delta 10), pack-reused 125 Receiving objects: 100% (155/155), 49.78 KiB | 145.00 KiB/s, done. Resolving deltas: 100% (88/88), done. How to check Linux for Spectre and Meltdown vulnerability Run the script as root user using sudo command or su command:$ sudo sh spectre-meltdown-checker.sh Sample outputs from Ubuntu Linux desktop: [sudo] password for vivek: Spectre and Meltdown mitigation detection tool v0.16 Checking vulnerabilities against Linux 4.13.0-21-generic #24-Ubuntu SMP Mon Dec 18 17:29:16 UTC 2017 x86_64 CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' * Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 42 opcodes found, should be >= 70) > STATUS: VULNERABLE CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' * Mitigation 1 * Hardware (CPU microcode) support for mitigation: NO * Kernel support for IBRS: NO * IBRS enabled for Kernel space: NO * IBRS enabled for User space: NO * Mitigation 2 * Kernel compiled with retpoline option: NO * Kernel compiled with a retpoline-aware compiler: NO > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability) CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3' * Kernel supports Page Table Isolation (PTI): NO * PTI enabled and active: NO > STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability) Another output from my CentOS 7.x server where Meltdown/Spectre v1 was patched with Kernel:$ sudo sh spectre-meltdown-checker.sh Spectre Meltdown vulnerability mitigation detection check tool for Linux (click to enlarge) For more info see the official github page here. https://www.cyberciti.biz/faq/check-linux-server-for-spectre-meltdown-vulnerability/ Quote Share this post Link to post Share on other sites
