Skip to main content

Update for Spectre And Meltdown, A Script for Checking Your System

I found a very nice program to run and check if my computer is vulnerable to Spectre and Meltdown. It is now March 2018. Two months after the initial reports of the vulnerabilities against computer processors, what is the state of security with regard to these two vulnerabilities?

Thank you to this script by Stephen Lesimple. The link is a git clone link. It will download everything in its directory. Inspect the script before running it as root.

There are no options. It will check your system against 3 CVE's made for the "speculative execution" vulnerability. This is my output.

Spectre and Meltdown mitigation detection tool v0.35

Checking for vulnerabilities on current system
Kernel is Linux 4.15.5-1-ARCH #1 SMP PREEMPT Thu Feb 22 22:15:20 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i5-4590 CPU @ 3.30GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  YES 
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates STIBP capability:  YES 
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
  * CPU microcode is known to cause stability problems:  YES  (model 60 stepping 3 ucode 0x23)

The microcode your CPU is running on is known to cause instability problems,
such as intempestive reboots or random crashes.
You are advised to either revert to a previous microcode version (that might not have
the mitigations for Spectre), or upgrade to a newer one if available.

* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  YES 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  YES  (1 occurence(s) found of 64 bits 
array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  NO 
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO 
    * IBRS enabled for User space:  NO 
    * IBPB enabled:  NO 
* Mitigation 2
  * Kernel compiled with retpoline option:  YES 
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline 
compilation)
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer
[donato@archdesktop spectre-meltdown-checker]$ 


Comments

Post a Comment

Popular posts from this blog

Mailvelope, Encryption for Webmail

Encryption is the topic of week. I wrote about it in a related post here. While encryption is a very good idea, doing it and doing it every day as part of your work flow is another thing. My view is that if you're already using an email client then it is easier, simpler and more convenient to adopt encryption. That is not the case if you're using a webmail service. If you are using the browser to check, compose and send your email, what are your options? The answer is: it's complicated. Looking for a way to do encryption with Google Chrome and Gmail, I found this. I also read that Google just released code for email encryption as open source. But it's a long way to being used by end users. The extension for Google Chrome works fine if the recipient also uses Google Chrome. But I went ahead and check this on Evolution.
Post a Comment
Read more

Donald Trump Is The 45th President of the United States

     and he is preparing to move with his transition team into the Oval Office. His election is a shock to many political observers and the world in general. Donald Trump, the president-elect, ran against Hillary Clinton, former Secretary of State and for many the most qualified candidate for the presidency in many years. This has led to many post election analysis of how this upset happened. The numbers of votes for each candidate and the comparisons with previous presidential elections point to the fact that the white vote for Mr. Trump is solid all throughout but the minority and black votes did not come for Mrs. Clinton. This is what happened in crucial States like Michigan and Florida. The Republicans kept Congress and the Senate. It is quite notable that Russia and in particular, Vladimir Putin, is happy that they are going to talk to Mr. Trump rather than Mrs. Clinton. It is also a ...
Post a Comment
Read more

Webapps in Unity

So it has been 4 months since Ubuntu 14.04 came out. This is LTS and supported for 6 years by Canonical. The first mobile device with Ubuntu pre-installed is promised to come out later this year, 2014. It's time to check out how the apps perform so far. It is a good idea. I use Gmail and Twitter and Facebook. Why not a webapp in a desktop? So I start the Twitter and Gmail webapp. So far it has crashed my computer 6 times. Not a very good sign. On the other hand it does work but not as stable as opening them in Firefox. -- Use my PGP key if you want to encrypt your replies/messages to me. You are invited to also send me your PGP keys so we can communicate in private.
Post a Comment
Read more