How to check if my Linux is still vulnerable to Spectre and Meltdown CPU bugs? Spectre and Meltdown allows attacker to read virtual memory arbitrarily in modern processors. Attacker can steal your passwords and other sensitive data by reading memory of computer systems.
- CVE-2017-5753: bounds check bypass (Spectre Variant 1). You need to recompile software and kernel with a modified compiler that introduces the LFENCE opcode at the proper positions in the resulting code. The performance impact of the mitigation is negligible.
- CVE-2017-5715: branch target injection (Spectre Variant 2). The performance impact of the mitigation depending on your CPU.
- CVE-2017-5754: rogue data cache load (Meltdown). You must install updated kernel version with PTI/KPTI patches. Updating the kernel is enough. The performance impact of the mitigation is low to medium.
There’s a simple shell script which finds out if your Linux kernel is vulnerable to “Speculative Execution”. You can use this script to check if your still vulnerable to Spectre and Meltdown CPU bugs.
$ cd /tmp/
$ wget https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh
$ git clone https://github.com/speed47/spectre-meltdown-checker.git
How To Check Linux For Meltdown And Spectre Vulnerability
$ sudo sh spectre-meltdown-checker.sh
This will be the output yours can be different it will let you know if your vulnerable.
Spectre and Meltdown mitigation detection tool v0.16
Checking vulnerabilities against Linux 4.13.0-21-generic #24-Ubuntu SMP Mon Dec 18 12:32:11 UTC 2017 x86_64
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 42 opcodes found, should be >= 70)
> STATUS: VULNERABLE
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)