How to Determine Meltdown & Spectre Vulnerability

[km_mcd]

I am running LM 18.2 "Sonya." How can I determine whether the PC (built using new motherboard and CPU about six months ago) is vulnerable to Meltwoen and Spectre? I want to be able to verify the result before and after applying updates and (possibly) new BIOS.

I want to verify vulnerability after updating because, on the Intel NUC forum, some tests that users run there are still indicating a Spectre vulnerability even after applying the recent Intel BIOS update.

thanks

Keith

[xenopeek]

You can use this script https://github.com/speed47/spectre-meltdown-checker. Download it and run the included spectre-meltdown-checker.sh file as root. From the directory where you have extracted or saved that file, you do that on the terminal with command:
sudo sh spectre-meltdown-checker.sh

However, the most obvious way users run untrusted code is in their web browser. Most if not all major web browsers are already patched to include mitigation. JavaScript code from websites users visit can thus not exploit these bugs. If you're using some oddball web browser, you can check if it is vulnerable with this: https://xlab.tencent.com/special/spectr ... check.html

Other than with your web browser, how much are you in the habit of running code on your computer from untrusted sources? While Meltdown should be fixed for you if you applied the kernel security update already shown in Update manager, Spectre isn't fixed yet but isn't easy to exploit. And to exploit it you would have to run some malware on your system. But if you install malware on your system it can do everything you can if not more—meaning it can already access all your files. Malware doesn't need these bugs for that.

[felemur]

That link you provided triggered my Sophos AV within a second of the page loading. Nice to know the AV does its job.

Screenshot from 2018-01-21 06-41-40.png

Then this popped up when I clicked to run test:

Screenshot from 2018-01-21 06-46-45.png

[xenopeek]

If only the AV could distinguish between a test and a threat Now you still don't know if your web browser is already not vulnerable.

[Minterator]

$ sudo ~/Downloads/spectre-meltdown-checker-master/spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.31

Checking for vulnerabilities against running kernel Linux 4.11.12-041112-generic #201707210350 SMP Fri Jul 21 07:53:15 UTC 2017 x86_64
CPU is Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 31 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation
* The SPEC_CTRL MSR is available: NO
* The SPEC_CTRL CPUID feature bit is set: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
* Checking if we're running under Xen PV (64 bits): NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

[felemur]

If only the AV could distinguish between a test and a threat Now you still don't know if your web browser is already not vulnerable.

I did try it with Sophos turned off, and the test said I was "safe". Though, with FF57, I kind-of assumed so.

This is a home/work computer, so I wasn't that worried anyway - just curious.

I run the Beta version of Chrome, and it said that was safe too.

[Sir Charles]

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO

You are running kernel Linux 4.11.12-041112-generic.
The only kernels that I know of which have the KPTI-patch are: 4.4.0-109 and 4.13.0-26
Update your intel-microcode as well, if you haven't done that yet.

A false sense of security is worse than no security at all, see --disclaimer

Disclaimer
This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the collectively named "speculative execution" vulnerabilities. It doesn't attempt to run any kind of exploit, and can't guarantee that your system is secure, but rather helps you verifying whether your system has the known correct mitigations in place. However, some mitigations could also exist in your kernel that this script doesn't know (yet) how to detect, or it might falsely detect mitigations that in the end don't work as expected (for example, on backported or modified kernels).

Your system exposure also depends on your CPU. As of now, AMD and ARM processors are marked as immune to some or all of these vulnerabilities (except some specific ARM models). All Intel processors manufactured since circa 1995 are thought to be vulnerable. Whatever processor one uses, one might seek more information from the manufacturer of that processor and/or of the device in which it runs.

The nature of the discovered vulnerabilities being quite new, the landscape of vulnerable processors can be expected to change over time, which is why this script makes the assumption that all CPUs are vulnerable, except if the manufacturer explicitly stated otherwise in a verifiable public announcement.

This tool has been released in the hope that it'll be useful, but don't use it to jump to conclusions about your security.
https://github.com/speed47/spectre-melt ... disclaimer

[Pjotr]

For testing whether your kernel has been patched against Meltdown, this appears to be a reliable test method:

Code: Select all

dmesg | grep isolation

It should return:

Code: Select all

[    0.000000] Kernel/User page tables isolation: enabled

Earlier unpatched kernels should return nothing at all for that command.

More information: https://en.wikipedia.org/wiki/Kernel_pa ... _isolation

[oligalma]

Code: Select all

Update your intel-microcode as well, if you haven't done that yet.

How can I do this?

If I update the BIOS firmware will it update the CPU microcode as well?

[majpooper]

For testing whether your kernel has been patched against Meltdown, this appears to be a reliable test method:

Code: Select all

dmesg | grep isolation

It should return:

Code: Select all

[    0.000000] Kernel/User page tables isolation: enabled

Earlier unpatched kernels should return nothing at all for that command.

More information: https://en.wikipedia.org/wiki/Kernel_pa ... _isolation

I am running a patched kernel
System: Host: 1150z Kernel: 4.4.0-109-generic x86_64 (64 bit gcc: 5.4.0)
Desktop: Cinnamon 3.6.7 (Gtk 3.18.9-1ubuntu3.3)
Distro: Linux Mint 18.3 Sylvia

Yet - it returns nothing
majpooper@1150z ~ $ dmesg | grep isolation
majpooper@1150z ~ $

Then again I am running AMD
CPU: Octa core AMD FX-8150 Eight-Core

[smurphos]

Yet - it returns nothing
majpooper@1150z ~ $ dmesg | grep isolation
majpooper@1150z ~ $

grep isolation /var/log/syslog

Try this - the dmesg command doesn't appear to be reliable.

[Pjotr]

Then again I am running AMD
CPU: Octa core AMD FX-8150 Eight-Core

That's the reason. It's not enabled when you have an AMD CPU, because AMD CPU's aren't affected by Meltdown.

[Teksonik]

My question is has Linux Mint been updated to mitigate the vulnerabilities ? I use 18.3 and check for updates each day. I assume a patch has been released.

[xenopeek]

You can use this script https://github.com/speed47/spectre-meltdown-checker to check status of your system. Download it and run the included spectre-meltdown-checker.sh file as root. From the directory where you have extracted or saved that file, you do that on the terminal with command:
sudo sh spectre-meltdown-checker.sh

If you installed the available security updates for your kernel, you have the fix for Meltdown.

You can check if your web browser is vulnerable with this: https://xlab.tencent.com/special/spectr ... check.html. Firefox 57.0.4 has mitigation in place so that websites can't use the Meltdown and Spectre bugs. Do you use any other programs that run untrusted code on your system? For most home users the answer is no and they are thus not exposed to any malware that would use the Spectre bugs.

There is no security update for the kernel available yet that addresses Spectre. You can follow the progress of the security team on that here: https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown. But again: check your web browser if it's not Firefox and confirm it's not vulnerable to Meltdown and Spectre. For most home users that closes the door on these bugs already. Unless you're in the habit of downloading and installing programs onto your system from untrusted websites.

[Teksonik]

If you installed the available security updates for your kernel, you have the fix for Meltdown.

Thanks, that was what I assumed but just wanted to make sure. I update religiously and always accept all offered updates.

Firefox 57.0.4 has mitigation in place so that websites can't use the Meltdown and Spectre bugs.

That's good to know. Mint 18.3 does have 57.0.4 already.

Do you use any other programs that run untrusted code on your system?

No, I mostly use Firefox, T-Bird, Pinta, Gimp etc. There is no sensitive info on this system as I don't use it for banking or any critical web activity.

There is no security update for the kernel available yet that addresses Spectre. You can follow the progress of the security team on that here: https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown.

Thanks, I'll keep an eye on developments.