How to check Linux for Spectre and Meltdown vulnerability

in Categories , , , , , last updated March 4, 2018

How do I check if my Linux server is still vulnerable to Spectre and Meltdown CPU bugs?

Spectre & Meltdown Checker is a shell script that check for the following Intel/AMD/ARM and other CPUs for bugs:

  1. CVE-2017-5753: bounds check bypass (Spectre Variant 1). You need to recompile software and kernel with a modified compiler that introduces the LFENCE opcode at the proper positions in the resulting code. The performance impact of the mitigation is negligible.
  2. CVE-2017-5715: branch target injection (Spectre Variant 2). The performance impact of the mitigation depending on your CPU.
  3. CVE-2017-5754: rogue data cache load (Meltdown). You must install updated kernel version with PTI/KPTI patches. Updating the kernel is enough. The performance impact of the mitigation is low to medium.

spectre-meltdown-checker.sh is a simple shell script to find out if your Linux kernel (installation) is vulnerable against the 3 “speculative execution” CVEs. Use this script to check or see if you are still vulnerable to Meltdown and Spectre CPU bugs after applying kernel patches.

Installation

The script must be run as root user. You can view source code here. Use the wget command or curl command to grab the source code on your Linux box:
$ cd /tmp/
$ wget https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh

OR
$ git clone https://github.com/speed47/spectre-meltdown-checker.git
Sample outputs:

Cloning into 'spectre-meltdown-checker'...
remote: Counting objects: 155, done.
remote: Compressing objects: 100% (20/20), done.
remote: Total 155 (delta 18), reused 21 (delta 10), pack-reused 125
Receiving objects: 100% (155/155), 49.78 KiB | 145.00 KiB/s, done.
Resolving deltas: 100% (88/88), done.

How to check Linux for Spectre and Meltdown vulnerability

Run the script as root user using sudo command or su command:
$ sudo sh spectre-meltdown-checker.sh
Sample outputs from Ubuntu Linux desktop:

[sudo] password for vivek: 
Spectre and Meltdown mitigation detection tool v0.16
 
Checking vulnerabilities against Linux 4.13.0-21-generic #24-Ubuntu SMP Mon Dec 18 17:29:16 UTC 2017 x86_64
 
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places:  NO  (only 42 opcodes found, should be >= 70)
> STATUS:  VULNERABLE 
 
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
 
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO 
* PTI enabled and active:  NO 
> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)

Another output from my CentOS 7.x server where Meltdown/Spectre v1 was patched with Kernel:
$ sudo sh spectre-meltdown-checker.sh

Spectre Meltdown vulnerability mitigation detection check tool for Linux
Spectre Meltdown vulnerability mitigation detection check tool for Linux (click to enlarge)

How to apply microcode update supplied by Intel on Linux

See “How to install/update Intel microcode firmware on Linux” for more info.

For more info see the official github page here.

This entry is 3 of 5 in the Processor/CPU Speculative Execution Patching on Linux Tutorial series. Keep reading the rest of the series:
  1. How to patch Meltdown CPU Vulnerability CVE-2017-5754 on Linux
  2. How to patch Spectre Vulnerability CVE-2017-5753/CVE-2017-5715 on Linux
  3. How to check Linux for Spectre and Meltdown vulnerability
  4. How to install/update Intel microcode firmware on Linux
  5. How to patch Meltdown vulnerability on OpenBSD Unix

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Share this on (or read 19 comments/add one below):

Notable Replies

Continue the discussion www.nixcraft.com

Participants

Historical Comment Archive

19 comment

  1. This doesn’t seem to work on any centos box I have built on top of VMWARE..
    All I am getting out of them is
    STATUS:

    And nothing… beside the status line.
    This is centos 7 minimal, fully patched.

  2. Full output

    [/root] # ./spectre-meltdown-checker.sh
    Spectre and Meltdown mitigation detection tool v0.16

    Checking vulnerabilities against Linux 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Jan 4 01:06:37 UTC 2018 x86_64

    CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’
    * Kernel compiled with LFENCE opcode inserted at the proper places: YES (112 opcodes found, which is >= 70)
    > STATUS: NOT VULNERABLE

    CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
    * Mitigation 1
    * Hardware (CPU microcode) support for mitigation: YES
    * Kernel support for IBRS: YES
    * IBRS enabled for Kernel space: NO
    * IBRS enabled for User space: NO
    * Mitigation 2
    * Kernel compiled with retpoline option: NO
    * Kernel compiled with a retpoline-aware compiler: NO
    > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

    CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
    * Kernel supports Page Table Isolation (PTI): YES
    * PTI enabled and active: YES
    > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)

      1. Interesting.. the code doesn’t show the whole NOT VULNERABLE message on my screen.. but it obviously cut and pasted it in here.

  3. O fuck …

    bhaskar@LinuxMint_08:17:23_Tue Jan 09:~>sudo ./spectre-meltdown-checker.sh
    Spectre and Meltdown mitigation detection tool v0.17

    Checking for vulnerabilities against live running kernel Linux 4.14.11-041411-generic #201801022143 SMP Tue Jan 2 21:44:21 UTC 2018 x86_64
    Will use vmlinux image /boot/vmlinuz-4.14.11-041411-generic
    Will use kconfig /boot/config-4.14.11-041411-generic
    Will use System.map file /boot/System.map-4.14.11-041411-generic

    CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’
    * Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 42 opcodes found, should be >= 70)
    > STATUS: VULNERABLE

    CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
    * Mitigation 1
    * Hardware (CPU microcode) support for mitigation: NO
    * Kernel support for IBRS: NO
    * IBRS enabled for Kernel space: NO
    * IBRS enabled for User space: NO
    * Mitigation 2
    * Kernel compiled with retpoline option: NO
    * Kernel compiled with a retpoline-aware compiler: NO
    > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

    CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
    * Kernel supports Page Table Isolation (PTI): YES
    * PTI enabled and active: YES
    > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)

  4. sir i have an old netbook samsung N150 with Intel(R) Atom(TM) CPU N450 @ 1.66GHz with 1gb ram and loaded with LUbuntu 16.04 LTS updated as on today. I ran the util and getting the following :

    Spectre and Meltdown mitigation detection tool v0.17

    Checking for vulnerabilities against live running kernel Linux 4.10.0-42-generic #46~16.04.1-Ubuntu SMP Mon Dec 4 15:57:59 UTC 2017 x86_64
    Will use vmlinux image /boot/vmlinuz-4.10.0-42-generic
    Will use kconfig /boot/config-4.10.0-42-generic
    Will use System.map file /boot/System.map-4.10.0-42-generic

    CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’
    * Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 37 opcodes found, should be >= 70)
    > STATUS: VULNERABLE

    CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
    * Mitigation 1
    * Hardware (CPU microcode) support for mitigation: NO
    * Kernel support for IBRS: NO
    * IBRS enabled for Kernel space: NO
    * IBRS enabled for User space: NO
    * Mitigation 2
    * Kernel compiled with retpoline option: NO
    * Kernel compiled with a retpoline-aware compiler: NO
    > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

    CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
    * Kernel supports Page Table Isolation (PTI): NO
    * PTI enabled and active: NO
    > STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)

    pls help.
    Thanks and Regards

  5. Hi vivek and thanks for the post.
    I have patched and tested my centos 6 install and am seeing similar output to your centos 7 grab in post, basically that the spectre variant 2 is vulnerable.

    Is this as expected at this stage with centos?
    Should we expect more patches?
    Thanks

    1. yes more patches and microcode update from Intel will hit within next 2-4 weeks. It might take longer. Basically you must install all those updates when released for your distro.

  6. Does this check whether your *hardware* is vulnerable to the bugs in the first place, or simply whether your kernel has been patched?

  7. sh /tmp/spectre-meltdown-checker.sh

    Spectre and Meltdown mitigation detection tool v0.19
    
    Checking for vulnerabilities against live running kernel Linux 2.6.32-504.23.4.el6.x86_64 #1 SMP Fri May 29 10:16:43 EDT 2015 x86_64
    Will use vmlinux image /boot/vmlinuz-2.6.32-504.23.4.el6.x86_64
    Will use kconfig /boot/config-2.6.32-504.23.4.el6.x86_64
    Will use System.map file /proc/kallsyms
    
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Checking count of LFENCE opcodes in kernel:  NO  (only 17 opcodes found, should be >= 70)
    > STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)
    
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigation 1
    *   Hardware (CPU microcode) support for mitigation:  YES
    *   Kernel support for IBRS:  NO
    *   IBRS enabled for Kernel space:  NO
    *   IBRS enabled for User space:  NO
    * Mitigation 2
    *   Kernel compiled with retpoline option:  NO
    *   Kernel compiled with a retpoline-aware compiler:  NO
    > STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)
    
    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Kernel supports Page Table Isolation (PTI):  NO
    * PTI enabled and active:  NO
    > STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)
    
    - PRODUCTION]# uptime
     14:12:39 up 656 days, 18:38,  1 user,  load average: 0.37, 0.12, 0.03
    haven't patched my system for more than an year but its doesn't shows as vulnerable
    
  8. Hi,

    I’ checking several servers (phisical and virtual), but most of them seems to be not vulnerable, and it’s trange, es:

    VM in ESXi 5.5, CPU : Intel(R) Xeon(R) CPU E5-2697 v2 @ 2.70GHz

    According to Intel is Affected (https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr),

    output of the script:

    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Checking count of LFENCE opcodes in kernel:  NO  (only 17 opcodes found, should be >= 70)
    > STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)
    
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigation 1
    *   Hardware (CPU microcode) support for mitigation:  YES
    *   Kernel support for IBRS:  NO
    *   IBRS enabled for Kernel space:  NO
    *   IBRS enabled for User space:  NO
    * Mitigation 2
    *   Kernel compiled with retpoline option:  NO
    *   Kernel compiled with a retpoline-aware compiler:  NO
    > STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)
    
    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Kernel supports Page Table Isolation (PTI):  NO
    * PTI enabled and active:  NO
    > STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)
    
  9. This script reports “your CPU vendor reported your CPU model as not vulnerable” if CPU Part and CPU Architecture aren’t present in /proc/cpuinfo, as I’m seeing with OEL 6 at least.

  10. this doesn’t seem to work on i386 kernels, at least for Ubuntu 16.04. returns false positive saying NOT VULNERABLE for Variant 1 even though kernel was compiled in July.

    unless i386 is not vulnerable to Meltdown/Spectre..?

      1. yes but these are newer opteron processors. system runs under vmware; some vms are 32bit and others 64bit. the 64bit vms show vulnerable but the 32bit don’t. makes me think this script is not 100% reliable

    Have a question? Post it on our forum!