How to Determine Meltdown & Spectre Vulnerability

Questions about applications and software
Forum rules
Before you post please read how to get help
Post Reply
km_mcd
Level 1
Level 1
Posts: 22
Joined: Thu Aug 03, 2017 3:12 pm
Location: Arizona USA

How to Determine Meltdown & Spectre Vulnerability

Post by km_mcd » Sat Jan 20, 2018 6:07 pm

I am running LM 18.2 "Sonya." How can I determine whether the PC (built using new motherboard and CPU about six months ago) is vulnerable to Meltwoen and Spectre? I want to be able to verify the result before and after applying updates and (possibly) new BIOS.

I want to verify vulnerability after updating because, on the Intel NUC forum, some tests that users run there are still indicating a Spectre vulnerability even after applying the recent Intel BIOS update.

thanks

Keith

User avatar
xenopeek
Level 24
Level 24
Posts: 21793
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: How to Determine Meltdown & Spectre Vulnerability

Post by xenopeek » Sat Jan 20, 2018 6:28 pm

You can use this script https://github.com/speed47/spectre-meltdown-checker. Download it and run the included spectre-meltdown-checker.sh file as root. From the directory where you have extracted or saved that file, you do that on the terminal with command:
sudo sh spectre-meltdown-checker.sh

However, the most obvious way users run untrusted code is in their web browser. Most if not all major web browsers are already patched to include mitigation. JavaScript code from websites users visit can thus not exploit these bugs. If you're using some oddball web browser, you can check if it is vulnerable with this: https://xlab.tencent.com/special/spectr ... check.html

Other than with your web browser, how much are you in the habit of running code on your computer from untrusted sources? While Meltdown should be fixed for you if you applied the kernel security update already shown in Update manager, Spectre isn't fixed yet but isn't easy to exploit. And to exploit it you would have to run some malware on your system. But if you install malware on your system it can do everything you can if not more—meaning it can already access all your files. Malware doesn't need these bugs for that.
Image

felemur
Level 4
Level 4
Posts: 403
Joined: Sun Sep 20, 2015 2:22 pm

Re: How to Determine Meltdown & Spectre Vulnerability

Post by felemur » Sun Jan 21, 2018 7:44 am

That link you provided triggered my Sophos AV within a second of the page loading. Nice to know the AV does its job.
Screenshot from 2018-01-21 06-41-40.png
Then this popped up when I clicked to run test:
Screenshot from 2018-01-21 06-46-45.png
Last edited by felemur on Sun Jan 21, 2018 8:14 am, edited 1 time in total.

User avatar
xenopeek
Level 24
Level 24
Posts: 21793
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: How to Determine Meltdown & Spectre Vulnerability

Post by xenopeek » Sun Jan 21, 2018 8:02 am

If only the AV could distinguish between a test and a threat :wink: Now you still don't know if your web browser is already not vulnerable.
Image

User avatar
Minterator
Level 5
Level 5
Posts: 596
Joined: Thu Jan 10, 2013 8:29 am

Re: How to Determine Meltdown & Spectre Vulnerability

Post by Minterator » Sun Jan 21, 2018 8:09 am

$ sudo ~/Downloads/spectre-meltdown-checker-master/spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.31

Checking for vulnerabilities against running kernel Linux 4.11.12-041112-generic #201707210350 SMP Fri Jul 21 07:53:15 UTC 2017 x86_64
CPU is Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 31 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation
* The SPEC_CTRL MSR is available: NO
* The SPEC_CTRL CPUID feature bit is set: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
* Checking if we're running under Xen PV (64 bits): NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
Mint 17.3 MATE, kernel 4.11.12

felemur
Level 4
Level 4
Posts: 403
Joined: Sun Sep 20, 2015 2:22 pm

Re: How to Determine Meltdown & Spectre Vulnerability

Post by felemur » Sun Jan 21, 2018 8:18 am

xenopeek wrote:If only the AV could distinguish between a test and a threat :wink: Now you still don't know if your web browser is already not vulnerable.
I did try it with Sophos turned off, and the test said I was "safe". Though, with FF57, I kind-of assumed so.

This is a home/work computer, so I wasn't that worried anyway - just curious.

I run the Beta version of Chrome, and it said that was safe too.

User avatar
Marziano
Level 5
Level 5
Posts: 509
Joined: Thu Jan 04, 2018 1:00 pm
Location: /here

Re: How to Determine Meltdown & Spectre Vulnerability

Post by Marziano » Sun Jan 21, 2018 8:53 am

Minterator wrote:
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
You are running kernel Linux 4.11.12-041112-generic.
The only kernels that I know of which have the KPTI-patch are: 4.4.0-109 and 4.13.0-26
Update your intel-microcode as well, if you haven't done that yet.
A false sense of security is worse than no security at all, see --disclaimer
Disclaimer
This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the collectively named "speculative execution" vulnerabilities. It doesn't attempt to run any kind of exploit, and can't guarantee that your system is secure, but rather helps you verifying whether your system has the known correct mitigations in place. However, some mitigations could also exist in your kernel that this script doesn't know (yet) how to detect, or it might falsely detect mitigations that in the end don't work as expected (for example, on backported or modified kernels).

Your system exposure also depends on your CPU. As of now, AMD and ARM processors are marked as immune to some or all of these vulnerabilities (except some specific ARM models). All Intel processors manufactured since circa 1995 are thought to be vulnerable. Whatever processor one uses, one might seek more information from the manufacturer of that processor and/or of the device in which it runs.

The nature of the discovered vulnerabilities being quite new, the landscape of vulnerable processors can be expected to change over time, which is why this script makes the assumption that all CPUs are vulnerable, except if the manufacturer explicitly stated otherwise in a verifiable public announcement.

This tool has been released in the hope that it'll be useful, but don't use it to jump to conclusions about your security.
https://github.com/speed47/spectre-melt ... disclaimer
Last edited by Marziano on Sun Jan 21, 2018 10:59 am, edited 1 time in total.
In the Grand Scheme of Things, everything on Earth is nothing but an annoying Bug.

User avatar
Pjotr
Level 19
Level 19
Posts: 9647
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: How to Determine Meltdown & Spectre Vulnerability

Post by Pjotr » Sun Jan 21, 2018 9:57 am

For testing whether your kernel has been patched against Meltdown, this appears to be a reliable test method:

Code: Select all

dmesg | grep isolation
It should return:

Code: Select all

[    0.000000] Kernel/User page tables isolation: enabled
Earlier unpatched kernels should return nothing at all for that command.

More information: https://en.wikipedia.org/wiki/Kernel_pa ... _isolation
Tip: 10 things to do after installing Linux Mint 18.3 Sylvia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
oligalma
Level 2
Level 2
Posts: 66
Joined: Tue Jan 31, 2017 5:13 am

Re: How to Determine Meltdown & Spectre Vulnerability

Post by oligalma » Sun Jan 21, 2018 9:16 pm

Code: Select all

Update your intel-microcode as well, if you haven't done that yet.
How can I do this?

If I update the BIOS firmware will it update the CPU microcode as well?

User avatar
majpooper
Level 4
Level 4
Posts: 485
Joined: Thu May 09, 2013 1:56 pm
Location: North Carolina, USA

Re: How to Determine Meltdown & Spectre Vulnerability

Post by majpooper » Mon Jan 22, 2018 12:17 am

Pjotr wrote:For testing whether your kernel has been patched against Meltdown, this appears to be a reliable test method:

Code: Select all

dmesg | grep isolation
It should return:

Code: Select all

[    0.000000] Kernel/User page tables isolation: enabled
Earlier unpatched kernels should return nothing at all for that command.

More information: https://en.wikipedia.org/wiki/Kernel_pa ... _isolation
I am running a patched kernel
System: Host: 1150z Kernel: 4.4.0-109-generic x86_64 (64 bit gcc: 5.4.0)
Desktop: Cinnamon 3.6.7 (Gtk 3.18.9-1ubuntu3.3)
Distro: Linux Mint 18.3 Sylvia

Yet - it returns nothing
majpooper@1150z ~ $ dmesg | grep isolation
majpooper@1150z ~ $

Then again I am running AMD
CPU: Octa core AMD FX-8150 Eight-Core

smurphos
Level 3
Level 3
Posts: 196
Joined: Fri Sep 05, 2014 12:18 am

Re: How to Determine Meltdown & Spectre Vulnerability

Post by smurphos » Mon Jan 22, 2018 12:36 am

majpooper wrote: Yet - it returns nothing
majpooper@1150z ~ $ dmesg | grep isolation
majpooper@1150z ~ $
grep isolation /var/log/syslog

Try this - the dmesg command doesn't appear to be reliable.

User avatar
Pjotr
Level 19
Level 19
Posts: 9647
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: How to Determine Meltdown & Spectre Vulnerability

Post by Pjotr » Mon Jan 22, 2018 5:21 am

majpooper wrote:Then again I am running AMD
CPU: Octa core AMD FX-8150 Eight-Core
That's the reason. It's not enabled when you have an AMD CPU, because AMD CPU's aren't affected by Meltdown.
Tip: 10 things to do after installing Linux Mint 18.3 Sylvia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

Teksonik
Level 3
Level 3
Posts: 127
Joined: Mon Apr 10, 2017 10:18 pm

Re: How to Determine Meltdown & Spectre Vulnerability

Post by Teksonik » Mon Jan 22, 2018 2:43 pm

My question is has Linux Mint been updated to mitigate the vulnerabilities ? I use 18.3 and check for updates each day. I assume a patch has been released. :)

User avatar
xenopeek
Level 24
Level 24
Posts: 21793
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: How to Determine Meltdown & Spectre Vulnerability

Post by xenopeek » Mon Jan 22, 2018 5:36 pm

You can use this script https://github.com/speed47/spectre-meltdown-checker to check status of your system. Download it and run the included spectre-meltdown-checker.sh file as root. From the directory where you have extracted or saved that file, you do that on the terminal with command:
sudo sh spectre-meltdown-checker.sh

If you installed the available security updates for your kernel, you have the fix for Meltdown.

You can check if your web browser is vulnerable with this: https://xlab.tencent.com/special/spectr ... check.html. Firefox 57.0.4 has mitigation in place so that websites can't use the Meltdown and Spectre bugs. Do you use any other programs that run untrusted code on your system? For most home users the answer is no and they are thus not exposed to any malware that would use the Spectre bugs.

There is no security update for the kernel available yet that addresses Spectre. You can follow the progress of the security team on that here: https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown. But again: check your web browser if it's not Firefox and confirm it's not vulnerable to Meltdown and Spectre. For most home users that closes the door on these bugs already. Unless you're in the habit of downloading and installing programs onto your system from untrusted websites.
Image

Teksonik
Level 3
Level 3
Posts: 127
Joined: Mon Apr 10, 2017 10:18 pm

Re: How to Determine Meltdown & Spectre Vulnerability

Post by Teksonik » Mon Jan 22, 2018 10:46 pm

xenopeek wrote:If you installed the available security updates for your kernel, you have the fix for Meltdown.
Thanks, that was what I assumed but just wanted to make sure. I update religiously and always accept all offered updates.
xenopeek wrote:Firefox 57.0.4 has mitigation in place so that websites can't use the Meltdown and Spectre bugs.
That's good to know. Mint 18.3 does have 57.0.4 already.
xenopeek wrote:Do you use any other programs that run untrusted code on your system?


No, I mostly use Firefox, T-Bird, Pinta, Gimp etc. There is no sensitive info on this system as I don't use it for banking or any critical web activity.
xenopeek wrote:There is no security update for the kernel available yet that addresses Spectre. You can follow the progress of the security team on that here: https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown.
Thanks, I'll keep an eye on developments. :)

Post Reply

Return to “Software & Applications”