How to check Linux for Spectre and Meltdown vulnerability

last updated April 20, 2018 in CentOS, Debian / Ubuntu, Linux, RedHat and Friends, Security, Suse

How do I check if my Linux server is still vulnerable to Spectre and Meltdown CPU bugs?

Spectre & Meltdown Checker is a shell script that check for the following Intel/AMD/ARM and other CPUs for bugs:

CVE-2017-5753: bounds check bypass (Spectre Variant 1). You need to recompile software and kernel with a modified compiler that introduces the LFENCE opcode at the proper positions in the resulting code. The performance impact of the mitigation is negligible.
CVE-2017-5715: branch target injection (Spectre Variant 2). The performance impact of the mitigation depending on your CPU.
CVE-2017-5754: rogue data cache load (Meltdown). You must install updated kernel version with PTI/KPTI patches. Updating the kernel is enough. The performance impact of the mitigation is low to medium.

spectre-meltdown-checker.sh is a simple shell script to find out if your Linux kernel (installation) is vulnerable against the 3 “speculative execution” CVEs. Use this script to check or see if you are still vulnerable to Meltdown and Spectre CPU bugs after applying kernel patches.

Installation

The script must be run as root user. You can view source code here. Use the wget command or curl command to grab the source code on your Linux box:
$ cd /tmp/ $ wget https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh
OR
$ git clone https://github.com/speed47/spectre-meltdown-checker.git
Sample outputs:

Cloning into 'spectre-meltdown-checker'...
remote: Counting objects: 155, done.
remote: Compressing objects: 100% (20/20), done.
remote: Total 155 (delta 18), reused 21 (delta 10), pack-reused 125
Receiving objects: 100% (155/155), 49.78 KiB | 145.00 KiB/s, done.
Resolving deltas: 100% (88/88), done.

How to check Linux for Spectre and Meltdown vulnerability

Run the script as root user using sudo command or su command:
$ sudo sh spectre-meltdown-checker.sh
Sample outputs from Ubuntu Linux desktop:

[sudo] password for vivek: 
Spectre and Meltdown mitigation detection tool v0.16
 
Checking vulnerabilities against Linux 4.13.0-21-generic #24-Ubuntu SMP Mon Dec 18 17:29:16 UTC 2017 x86_64
 
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places:  NO  (only 42 opcodes found, should be >= 70)
> STATUS:  VULNERABLE 
 
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
 
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO 
* PTI enabled and active:  NO 
> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)

Another output from my CentOS 7.x server where Meltdown/Spectre v1 was patched with Kernel:
$ sudo sh spectre-meltdown-checker.sh

Spectre Meltdown vulnerability mitigation detection check tool for Linux (click to enlarge)

How to apply microcode update supplied by Intel on Linux

See “How to install/update Intel microcode firmware on Linux” for more info.

For more info see the official github page here.

This entry is 3 of 6 in the Processor/CPU Speculative Execution Patching on Linux Tutorial series. Keep reading the rest of the series:

How to patch Meltdown CPU Vulnerability CVE-2017-5754 on Linux
How to patch Spectre Vulnerability CVE-2017-5753/CVE-2017-5715 on Linux
How to check Linux for Spectre and Meltdown vulnerability
How to install/update Intel microcode firmware on Linux
How to patch Meltdown vulnerability on OpenBSD Unix
How to patch Meltdown and Spectre vulnerabilities on FreeBSD

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.

Your support makes a big difference:

I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft takes a lot of my time and hard work to produce. If everyone who reads nixCraft, who likes it, helps fund it, my future would be more secure. You can donate as little as $1 to support nixCraft:

Become a Supporter Make a contribution via Paypal/Bitcoin

Notable Replies

Robert_Logan says:

GitHub
speed47/spectre-meltdown-checker
spectre-meltdown-checker - Spectre & Meltdown vulnerability/mitigation checker for Linux
Just a simple shell script parsing the kernel for relevant bits. Works nicely.

Continue the discussion www.nixcraft.com

Participants

Historical Comment Archive

19 comment

Alexander says:
January 8, 2018 at 6:41 pm
Do you know, if there is a solution, which does NOT require root access?
1. Vivek Gite says:
  January 8, 2018 at 7:36 pm
  Sorry. I am not aware of it.
Kanth says:
January 8, 2018 at 7:59 pm
This doesn’t seem to work on any centos box I have built on top of VMWARE..
All I am getting out of them is
STATUS:
And nothing… beside the status line.
This is centos 7 minimal, fully patched.
Kanth says:
January 8, 2018 at 8:01 pm
Full output
[/root] # ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.16
Checking vulnerabilities against Linux 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Jan 4 01:06:37 UTC 2018 x86_64
CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’
* Kernel compiled with LFENCE opcode inserted at the proper places: YES (112 opcodes found, which is >= 70)
> STATUS: NOT VULNERABLE
CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: YES
* Kernel support for IBRS: YES
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
1. Vivek Gite says:
  January 8, 2018 at 8:31 pm
  Seems like you are patched your system. Make sure VMWare is patched too.
  1. Kanth says:
    January 9, 2018 at 2:48 am
    Interesting.. the code doesn’t show the whole NOT VULNERABLE message on my screen.. but it obviously cut and pasted it in here.
Bhaskar Chowdhury says:
January 9, 2018 at 2:52 am
O fuck …
bhaskar@LinuxMint_08:17:23_Tue Jan 09:~>sudo ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.17
Checking for vulnerabilities against live running kernel Linux 4.14.11-041411-generic #201801022143 SMP Tue Jan 2 21:44:21 UTC 2018 x86_64
Will use vmlinux image /boot/vmlinuz-4.14.11-041411-generic
Will use kconfig /boot/config-4.14.11-041411-generic
Will use System.map file /boot/System.map-4.14.11-041411-generic
CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’
* Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 42 opcodes found, should be >= 70)
> STATUS: VULNERABLE
CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
N Babu says:
January 9, 2018 at 5:59 am
sir i have an old netbook samsung N150 with Intel(R) Atom(TM) CPU N450 @ 1.66GHz with 1gb ram and loaded with LUbuntu 16.04 LTS updated as on today. I ran the util and getting the following :
Spectre and Meltdown mitigation detection tool v0.17
Checking for vulnerabilities against live running kernel Linux 4.10.0-42-generic #46~16.04.1-Ubuntu SMP Mon Dec 4 15:57:59 UTC 2017 x86_64
Will use vmlinux image /boot/vmlinuz-4.10.0-42-generic
Will use kconfig /boot/config-4.10.0-42-generic
Will use System.map file /boot/System.map-4.10.0-42-generic
CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’
* Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 37 opcodes found, should be >= 70)
> STATUS: VULNERABLE
CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)
pls help.
Thanks and Regards
1. N Babu says:
  January 9, 2018 at 7:11 am
  it looks like as per https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
  kernel 4.10 hwe is not taken care as of now.
Mathew says:
January 9, 2018 at 9:43 am
Hi vivek and thanks for the post.
I have patched and tested my centos 6 install and am seeing similar output to your centos 7 grab in post, basically that the spectre variant 2 is vulnerable.
Is this as expected at this stage with centos?
Should we expect more patches?
Thanks
1. Vivek Gite says:
  January 10, 2018 at 11:37 am
  yes more patches and microcode update from Intel will hit within next 2-4 weeks. It might take longer. Basically you must install all those updates when released for your distro.
Dan says:
January 9, 2018 at 12:59 pm
Does this check whether your *hardware* is vulnerable to the bugs in the first place, or simply whether your kernel has been patched?

sh /tmp/spectre-meltdown-checker.sh

Spectre and Meltdown mitigation detection tool v0.19

Checking for vulnerabilities against live running kernel Linux 2.6.32-504.23.4.el6.x86_64 #1 SMP Fri May 29 10:16:43 EDT 2015 x86_64
Will use vmlinux image /boot/vmlinuz-2.6.32-504.23.4.el6.x86_64
Will use kconfig /boot/config-2.6.32-504.23.4.el6.x86_64
Will use System.map file /proc/kallsyms

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO  (only 17 opcodes found, should be >= 70)
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  YES
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO
* PTI enabled and active:  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

- PRODUCTION]# uptime
 14:12:39 up 656 days, 18:38,  1 user,  load average: 0.37, 0.12, 0.03
haven't patched my system for more than an year but its doesn't shows as vulnerable

Hi,

I’ checking several servers (phisical and virtual), but most of them seems to be not vulnerable, and it’s trange, es:

VM in ESXi 5.5, CPU : Intel(R) Xeon(R) CPU E5-2697 v2 @ 2.70GHz

According to Intel is Affected (https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr),

output of the script:

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO  (only 17 opcodes found, should be >= 70)
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  YES
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO
* PTI enabled and active:  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

Todd says:
January 9, 2018 at 2:00 pm
This script reports “your CPU vendor reported your CPU model as not vulnerable” if CPU Part and CPU Architecture aren’t present in /proc/cpuinfo, as I’m seeing with OEL 6 at least.
Charles says:
January 9, 2018 at 6:55 pm
this doesn’t seem to work on i386 kernels, at least for Ubuntu 16.04. returns false positive saying NOT VULNERABLE for Variant 1 even though kernel was compiled in July.
unless i386 is not vulnerable to Meltdown/Spectre..?
1. Jean-Michel says:
  January 12, 2018 at 8:15 pm
  Yes Charles, processors up to Pentium MMX are not vulnerable.
  1. Charles says:
    January 15, 2018 at 2:41 pm
    yes but these are newer opteron processors. system runs under vmware; some vms are 32bit and others 64bit. the 64bit vms show vulnerable but the 32bit don’t. makes me think this script is not 100% reliable

Have a question? Post it on our forum!

Tagged as: Intermediate