Spectre & Meltdown Checker is a shell script that check for the following Intel/AMD/ARM and other CPUs for bugs:
- CVE-2017-5753: bounds check bypass (Spectre Variant 1). You need to recompile software and kernel with a modified compiler that introduces the LFENCE opcode at the proper positions in the resulting code. The performance impact of the mitigation is negligible.
- CVE-2017-5715: branch target injection (Spectre Variant 2). The performance impact of the mitigation depending on your CPU.
- CVE-2017-5754: rogue data cache load (Meltdown). You must install updated kernel version with PTI/KPTI patches. Updating the kernel is enough. The performance impact of the mitigation is low to medium.
spectre-meltdown-checker.sh is a simple shell script to find out if your Linux kernel (installation) is vulnerable against the 3 “speculative execution” CVEs. Use this script to check or see if you are still vulnerable to Meltdown and Spectre CPU bugs after applying kernel patches.
Installation
The script must be run as root user. You can view source code here. Use the wget command or curl command to grab the source code on your Linux box:
$ cd /tmp/
$ wget https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh
OR
$ git clone https://github.com/speed47/spectre-meltdown-checker.git
Sample outputs:
Cloning into 'spectre-meltdown-checker'... remote: Counting objects: 155, done. remote: Compressing objects: 100% (20/20), done. remote: Total 155 (delta 18), reused 21 (delta 10), pack-reused 125 Receiving objects: 100% (155/155), 49.78 KiB | 145.00 KiB/s, done. Resolving deltas: 100% (88/88), done.
How to check Linux for Spectre and Meltdown vulnerability
Run the script as root user using sudo command or su command:
$ sudo sh spectre-meltdown-checker.sh
Sample outputs from Ubuntu Linux desktop:
[sudo] password for vivek: Spectre and Meltdown mitigation detection tool v0.16 Checking vulnerabilities against Linux 4.13.0-21-generic #24-Ubuntu SMP Mon Dec 18 17:29:16 UTC 2017 x86_64 CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' * Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 42 opcodes found, should be >= 70) > STATUS: VULNERABLE CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' * Mitigation 1 * Hardware (CPU microcode) support for mitigation: NO * Kernel support for IBRS: NO * IBRS enabled for Kernel space: NO * IBRS enabled for User space: NO * Mitigation 2 * Kernel compiled with retpoline option: NO * Kernel compiled with a retpoline-aware compiler: NO > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability) CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3' * Kernel supports Page Table Isolation (PTI): NO * PTI enabled and active: NO > STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
Another output from my CentOS 7.x server where Meltdown/Spectre v1 was patched with Kernel:
$ sudo sh spectre-meltdown-checker.sh
Spectre Meltdown vulnerability mitigation detection check tool for Linux (click to enlarge)
How to apply microcode update supplied by Intel on Linux
See “How to install/update Intel microcode firmware on Linux” for more info.
For more info see the official github page here.
- How to patch Meltdown CPU Vulnerability CVE-2017-5754 on Linux
- How to patch Spectre Vulnerability CVE-2017-5753/CVE-2017-5715 on Linux
- How to check Linux for Spectre and Meltdown vulnerability
- How to install/update Intel microcode firmware on Linux
- How to patch Meltdown vulnerability on OpenBSD Unix
- How to patch Meltdown and Spectre vulnerabilities on FreeBSD
🐧 18 comments so far... add one ↓
How to patch Meltdown and Spectre vulnerabilities on FreeBSD- Howto patch Spectre Vulnerability…
How to patch Meltdown CPU Vulnerability…
How to patch Meltdown vulnerability on OpenBSD Unix
How To Patch and Protect Linux Glibc Getaddrinfo…
How To Patch and Protect OpenSSH Client…
How To Patch and Protect Linux Kernel Zero Day…
| Category | List of Unix and Linux commands |
|---|---|
| Disk space analyzers | df • ncdu • pydf |
| File Management | cat • tree |
| Firewall | Alpine Awall • CentOS 8 • OpenSUSE • RHEL 8 • Ubuntu 16.04 • Ubuntu 18.04 • Ubuntu 20.04 |
| Network Utilities | NetHogs • dig • host • ip • nmap |
| OpenVPN | CentOS 7 • CentOS 8 • Debian 10 • Debian 8/9 • Ubuntu 18.04 • Ubuntu 20.04 |
| Package Manager | apk • apt |
| Processes Management | bg • chroot • cron • disown • fg • jobs • killall • kill • pidof • pstree • pwdx • time |
| Searching | grep • whereis • which |
| User Information | groups • id • lastcomm • last • lid/libuser-lid • logname • members • users • whoami • who • w |
| WireGuard VPN | Alpine • CentOS 8 • Debian 10 • Firewall • Ubuntu 20.04 |
Do you know, if there is a solution, which does NOT require root access?
Sorry. I am not aware of it.
This doesn’t seem to work on any centos box I have built on top of VMWARE..
All I am getting out of them is
STATUS:
And nothing… beside the status line.
This is centos 7 minimal, fully patched.
Full output
[/root] # ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.16
Checking vulnerabilities against Linux 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Jan 4 01:06:37 UTC 2018 x86_64
CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’
* Kernel compiled with LFENCE opcode inserted at the proper places: YES (112 opcodes found, which is >= 70)
> STATUS: NOT VULNERABLE
CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: YES
* Kernel support for IBRS: YES
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
Seems like you are patched your system. Make sure VMWare is patched too.
Interesting.. the code doesn’t show the whole NOT VULNERABLE message on my screen.. but it obviously cut and pasted it in here.
O fuck …
bhaskar@LinuxMint_08:17:23_Tue Jan 09:~>sudo ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.17
Checking for vulnerabilities against live running kernel Linux 4.14.11-041411-generic #201801022143 SMP Tue Jan 2 21:44:21 UTC 2018 x86_64
Will use vmlinux image /boot/vmlinuz-4.14.11-041411-generic
Will use kconfig /boot/config-4.14.11-041411-generic
Will use System.map file /boot/System.map-4.14.11-041411-generic
CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’
* Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 42 opcodes found, should be >= 70)
> STATUS: VULNERABLE
CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
sir i have an old netbook samsung N150 with Intel(R) Atom(TM) CPU N450 @ 1.66GHz with 1gb ram and loaded with LUbuntu 16.04 LTS updated as on today. I ran the util and getting the following :
Spectre and Meltdown mitigation detection tool v0.17
Checking for vulnerabilities against live running kernel Linux 4.10.0-42-generic #46~16.04.1-Ubuntu SMP Mon Dec 4 15:57:59 UTC 2017 x86_64
Will use vmlinux image /boot/vmlinuz-4.10.0-42-generic
Will use kconfig /boot/config-4.10.0-42-generic
Will use System.map file /boot/System.map-4.10.0-42-generic
CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’
* Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 37 opcodes found, should be >= 70)
> STATUS: VULNERABLE
CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
pls help.
Thanks and Regards
it looks like as per https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
kernel 4.10 hwe is not taken care as of now.
Hi vivek and thanks for the post.
I have patched and tested my centos 6 install and am seeing similar output to your centos 7 grab in post, basically that the spectre variant 2 is vulnerable.
Is this as expected at this stage with centos?
Should we expect more patches?
Thanks
yes more patches and microcode update from Intel will hit within next 2-4 weeks. It might take longer. Basically you must install all those updates when released for your distro.
Does this check whether your *hardware* is vulnerable to the bugs in the first place, or simply whether your kernel has been patched?
sh /tmp/spectre-meltdown-checker.sh
Hi,
I’ checking several servers (phisical and virtual), but most of them seems to be not vulnerable, and it’s trange, es:
VM in ESXi 5.5, CPU : Intel(R) Xeon(R) CPU E5-2697 v2 @ 2.70GHz
According to Intel is Affected (https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr),
output of the script:
This script reports “your CPU vendor reported your CPU model as not vulnerable” if CPU Part and CPU Architecture aren’t present in /proc/cpuinfo, as I’m seeing with OEL 6 at least.
this doesn’t seem to work on i386 kernels, at least for Ubuntu 16.04. returns false positive saying NOT VULNERABLE for Variant 1 even though kernel was compiled in July.
unless i386 is not vulnerable to Meltdown/Spectre..?
Yes Charles, processors up to Pentium MMX are not vulnerable.
yes but these are newer opteron processors. system runs under vmware; some vms are 32bit and others 64bit. the 64bit vms show vulnerable but the 32bit don’t. makes me think this script is not 100% reliable