How to Determine Meltdown & Spectre Vulnerability
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
How to Determine Meltdown & Spectre Vulnerability
I am running LM 18.2 "Sonya." How can I determine whether the PC (built using new motherboard and CPU about six months ago) is vulnerable to Meltwoen and Spectre? I want to be able to verify the result before and after applying updates and (possibly) new BIOS.
I want to verify vulnerability after updating because, on the Intel NUC forum, some tests that users run there are still indicating a Spectre vulnerability even after applying the recent Intel BIOS update.
thanks
Keith
I want to verify vulnerability after updating because, on the Intel NUC forum, some tests that users run there are still indicating a Spectre vulnerability even after applying the recent Intel BIOS update.
thanks
Keith
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Re: How to Determine Meltdown & Spectre Vulnerability
You can use this script https://github.com/speed47/spectre-meltdown-checker. Download it and run the included spectre-meltdown-checker.sh file as root. From the directory where you have extracted or saved that file, you do that on the terminal with command:
However, the most obvious way users run untrusted code is in their web browser. Most if not all major web browsers are already patched to include mitigation. JavaScript code from websites users visit can thus not exploit these bugs. If you're using some oddball web browser, you can check if it is vulnerable with this: https://xlab.tencent.com/special/spectr ... check.html
Other than with your web browser, how much are you in the habit of running code on your computer from untrusted sources? While Meltdown should be fixed for you if you applied the kernel security update already shown in Update manager, Spectre isn't fixed yet but isn't easy to exploit. And to exploit it you would have to run some malware on your system. But if you install malware on your system it can do everything you can if not more—meaning it can already access all your files. Malware doesn't need these bugs for that.
sudo sh spectre-meltdown-checker.sh
However, the most obvious way users run untrusted code is in their web browser. Most if not all major web browsers are already patched to include mitigation. JavaScript code from websites users visit can thus not exploit these bugs. If you're using some oddball web browser, you can check if it is vulnerable with this: https://xlab.tencent.com/special/spectr ... check.html
Other than with your web browser, how much are you in the habit of running code on your computer from untrusted sources? While Meltdown should be fixed for you if you applied the kernel security update already shown in Update manager, Spectre isn't fixed yet but isn't easy to exploit. And to exploit it you would have to run some malware on your system. But if you install malware on your system it can do everything you can if not more—meaning it can already access all your files. Malware doesn't need these bugs for that.
- felemur
- Level 5
- Posts: 537
- Joined: Sun Sep 20, 2015 2:22 pm
- Location: In the middle of 1000's of acres of corn & soy fields in a house full of cats.
Re: How to Determine Meltdown & Spectre Vulnerability
That link you provided triggered my Sophos AV within a second of the page loading. Nice to know the AV does its job.
Then this popped up when I clicked to run test:
Then this popped up when I clicked to run test:
Last edited by felemur on Sun Jan 21, 2018 8:14 am, edited 1 time in total.
Re: How to Determine Meltdown & Spectre Vulnerability
If only the AV could distinguish between a test and a threat Now you still don't know if your web browser is already not vulnerable.
Re: How to Determine Meltdown & Spectre Vulnerability
$ sudo ~/Downloads/spectre-meltdown-checker-master/spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.31
Checking for vulnerabilities against running kernel Linux 4.11.12-041112-generic #201707210350 SMP Fri Jul 21 07:53:15 UTC 2017 x86_64
CPU is Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 31 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation
* The SPEC_CTRL MSR is available: NO
* The SPEC_CTRL CPUID feature bit is set: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
* Checking if we're running under Xen PV (64 bits): NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
Spectre and Meltdown mitigation detection tool v0.31
Checking for vulnerabilities against running kernel Linux 4.11.12-041112-generic #201707210350 SMP Fri Jul 21 07:53:15 UTC 2017 x86_64
CPU is Intel(R) Core(TM) i7-6700 CPU @ 3.40GHz
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 31 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation
* The SPEC_CTRL MSR is available: NO
* The SPEC_CTRL CPUID feature bit is set: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
* Checking if we're running under Xen PV (64 bits): NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
- felemur
- Level 5
- Posts: 537
- Joined: Sun Sep 20, 2015 2:22 pm
- Location: In the middle of 1000's of acres of corn & soy fields in a house full of cats.
Re: How to Determine Meltdown & Spectre Vulnerability
I did try it with Sophos turned off, and the test said I was "safe". Though, with FF57, I kind-of assumed so.xenopeek wrote:If only the AV could distinguish between a test and a threat Now you still don't know if your web browser is already not vulnerable.
This is a home/work computer, so I wasn't that worried anyway - just curious.
I run the Beta version of Chrome, and it said that was safe too.
Re: How to Determine Meltdown & Spectre Vulnerability
You are running kernel Linux 4.11.12-041112-generic.Minterator wrote:
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
The only kernels that I know of which have the KPTI-patch are: 4.4.0-109 and 4.13.0-26
Update your intel-microcode as well, if you haven't done that yet.
A false sense of security is worse than no security at all, see --disclaimer
Disclaimer
This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the collectively named "speculative execution" vulnerabilities. It doesn't attempt to run any kind of exploit, and can't guarantee that your system is secure, but rather helps you verifying whether your system has the known correct mitigations in place. However, some mitigations could also exist in your kernel that this script doesn't know (yet) how to detect, or it might falsely detect mitigations that in the end don't work as expected (for example, on backported or modified kernels).
Your system exposure also depends on your CPU. As of now, AMD and ARM processors are marked as immune to some or all of these vulnerabilities (except some specific ARM models). All Intel processors manufactured since circa 1995 are thought to be vulnerable. Whatever processor one uses, one might seek more information from the manufacturer of that processor and/or of the device in which it runs.
The nature of the discovered vulnerabilities being quite new, the landscape of vulnerable processors can be expected to change over time, which is why this script makes the assumption that all CPUs are vulnerable, except if the manufacturer explicitly stated otherwise in a verifiable public announcement.
This tool has been released in the hope that it'll be useful, but don't use it to jump to conclusions about your security.
https://github.com/speed47/spectre-melt ... disclaimer
Last edited by Sir Charles on Sun Jan 21, 2018 10:59 am, edited 1 time in total.
- Pjotr
- Level 24
- Posts: 20092
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: How to Determine Meltdown & Spectre Vulnerability
For testing whether your kernel has been patched against Meltdown, this appears to be a reliable test method:
It should return:
Earlier unpatched kernels should return nothing at all for that command.
More information: https://en.wikipedia.org/wiki/Kernel_pa ... _isolation
Code: Select all
dmesg | grep isolation
Code: Select all
[ 0.000000] Kernel/User page tables isolation: enabled
More information: https://en.wikipedia.org/wiki/Kernel_pa ... _isolation
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Re: How to Determine Meltdown & Spectre Vulnerability
Code: Select all
Update your intel-microcode as well, if you haven't done that yet.
If I update the BIOS firmware will it update the CPU microcode as well?
Re: How to Determine Meltdown & Spectre Vulnerability
I am running a patched kernelPjotr wrote:For testing whether your kernel has been patched against Meltdown, this appears to be a reliable test method:It should return:Code: Select all
dmesg | grep isolation
Earlier unpatched kernels should return nothing at all for that command.Code: Select all
[ 0.000000] Kernel/User page tables isolation: enabled
More information: https://en.wikipedia.org/wiki/Kernel_pa ... _isolation
System: Host: 1150z Kernel: 4.4.0-109-generic x86_64 (64 bit gcc: 5.4.0)
Desktop: Cinnamon 3.6.7 (Gtk 3.18.9-1ubuntu3.3)
Distro: Linux Mint 18.3 Sylvia
Yet - it returns nothing
majpooper@1150z ~ $ dmesg | grep isolation
majpooper@1150z ~ $
Then again I am running AMD
CPU: Octa core AMD FX-8150 Eight-Core
- smurphos
- Level 18
- Posts: 8498
- Joined: Fri Sep 05, 2014 12:18 am
- Location: Irish Brit in Portugal
- Contact:
Re: How to Determine Meltdown & Spectre Vulnerability
majpooper wrote: Yet - it returns nothing
majpooper@1150z ~ $ dmesg | grep isolation
majpooper@1150z ~ $
grep isolation /var/log/syslog
Try this - the dmesg command doesn't appear to be reliable.
For custom Nemo actions, useful scripts for the Cinnamon desktop, and Cinnamox themes visit my Github pages.
- Pjotr
- Level 24
- Posts: 20092
- Joined: Mon Mar 07, 2011 10:18 am
- Location: The Netherlands (Holland) 🇳🇱
- Contact:
Re: How to Determine Meltdown & Spectre Vulnerability
That's the reason. It's not enabled when you have an AMD CPU, because AMD CPU's aren't affected by Meltdown.majpooper wrote:Then again I am running AMD
CPU: Octa core AMD FX-8150 Eight-Core
Tip: 10 things to do after installing Linux Mint 21.3 Virginia
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.
Re: How to Determine Meltdown & Spectre Vulnerability
My question is has Linux Mint been updated to mitigate the vulnerabilities ? I use 18.3 and check for updates each day. I assume a patch has been released.
Re: How to Determine Meltdown & Spectre Vulnerability
You can use this script https://github.com/speed47/spectre-meltdown-checker to check status of your system. Download it and run the included spectre-meltdown-checker.sh file as root. From the directory where you have extracted or saved that file, you do that on the terminal with command:
If you installed the available security updates for your kernel, you have the fix for Meltdown.
You can check if your web browser is vulnerable with this: https://xlab.tencent.com/special/spectr ... check.html. Firefox 57.0.4 has mitigation in place so that websites can't use the Meltdown and Spectre bugs. Do you use any other programs that run untrusted code on your system? For most home users the answer is no and they are thus not exposed to any malware that would use the Spectre bugs.
There is no security update for the kernel available yet that addresses Spectre. You can follow the progress of the security team on that here: https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown. But again: check your web browser if it's not Firefox and confirm it's not vulnerable to Meltdown and Spectre. For most home users that closes the door on these bugs already. Unless you're in the habit of downloading and installing programs onto your system from untrusted websites.
sudo sh spectre-meltdown-checker.sh
If you installed the available security updates for your kernel, you have the fix for Meltdown.
You can check if your web browser is vulnerable with this: https://xlab.tencent.com/special/spectr ... check.html. Firefox 57.0.4 has mitigation in place so that websites can't use the Meltdown and Spectre bugs. Do you use any other programs that run untrusted code on your system? For most home users the answer is no and they are thus not exposed to any malware that would use the Spectre bugs.
There is no security update for the kernel available yet that addresses Spectre. You can follow the progress of the security team on that here: https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown. But again: check your web browser if it's not Firefox and confirm it's not vulnerable to Meltdown and Spectre. For most home users that closes the door on these bugs already. Unless you're in the habit of downloading and installing programs onto your system from untrusted websites.
Re: How to Determine Meltdown & Spectre Vulnerability
Thanks, that was what I assumed but just wanted to make sure. I update religiously and always accept all offered updates.xenopeek wrote:If you installed the available security updates for your kernel, you have the fix for Meltdown.
That's good to know. Mint 18.3 does have 57.0.4 already.xenopeek wrote:Firefox 57.0.4 has mitigation in place so that websites can't use the Meltdown and Spectre bugs.
xenopeek wrote:Do you use any other programs that run untrusted code on your system?
No, I mostly use Firefox, T-Bird, Pinta, Gimp etc. There is no sensitive info on this system as I don't use it for banking or any critical web activity.
Thanks, I'll keep an eye on developments.xenopeek wrote:There is no security update for the kernel available yet that addresses Spectre. You can follow the progress of the security team on that here: https://wiki.ubuntu.com/SecurityTeam/Kn ... ndMeltdown.