How to check Linux for Spectre and Meltdown vulnerability

How do I check if my Linux server is still vulnerable to Spectre and Meltdown CPU bugs?

Spectre & Meltdown Checker is a shell script that check for the following Intel/AMD/ARM and other CPUs for bugs:

ADVERTISEMENTS

  1. CVE-2017-5753: bounds check bypass (Spectre Variant 1). You need to recompile software and kernel with a modified compiler that introduces the LFENCE opcode at the proper positions in the resulting code. The performance impact of the mitigation is negligible.
  2. CVE-2017-5715: branch target injection (Spectre Variant 2). The performance impact of the mitigation depending on your CPU.
  3. CVE-2017-5754: rogue data cache load (Meltdown). You must install updated kernel version with PTI/KPTI patches. Updating the kernel is enough. The performance impact of the mitigation is low to medium.

spectre-meltdown-checker.sh is a simple shell script to find out if your Linux kernel (installation) is vulnerable against the 3 “speculative execution” CVEs. Use this script to check or see if you are still vulnerable to Meltdown and Spectre CPU bugs after applying kernel patches.

Installation

The script must be run as root user. You can view source code here. Use the wget command or curl command to grab the source code on your Linux box:
$ cd /tmp/
$ wget https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh

OR
$ git clone https://github.com/speed47/spectre-meltdown-checker.git
Sample outputs:

Cloning into 'spectre-meltdown-checker'...
remote: Counting objects: 155, done.
remote: Compressing objects: 100% (20/20), done.
remote: Total 155 (delta 18), reused 21 (delta 10), pack-reused 125
Receiving objects: 100% (155/155), 49.78 KiB | 145.00 KiB/s, done.
Resolving deltas: 100% (88/88), done.

How to check Linux for Spectre and Meltdown vulnerability

Run the script as root user using sudo command or su command:
$ sudo sh spectre-meltdown-checker.sh
Sample outputs from Ubuntu Linux desktop:

[sudo] password for vivek: 
Spectre and Meltdown mitigation detection tool v0.16
 
Checking vulnerabilities against Linux 4.13.0-21-generic #24-Ubuntu SMP Mon Dec 18 17:29:16 UTC 2017 x86_64
 
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places:  NO  (only 42 opcodes found, should be >= 70)
> STATUS:  VULNERABLE 
 
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
 
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO 
* PTI enabled and active:  NO 
> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)

Another output from my CentOS 7.x server where Meltdown/Spectre v1 was patched with Kernel:
$ sudo sh spectre-meltdown-checker.sh

Spectre Meltdown vulnerability mitigation detection check tool for Linux

Spectre Meltdown vulnerability mitigation detection check tool for Linux (click to enlarge)

How to apply microcode update supplied by Intel on Linux

See “How to install/update Intel microcode firmware on Linux” for more info.

For more info see the official github page here.

🐧 Get the latest tutorials on SysAdmin, Linux/Unix, Open Source/DevOps topics:
CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNCentOS 8 Debian 10 Firewall Ubuntu 20.04

ADVERTISEMENTS
18 comments… add one
  • Alexander Jan 8, 2018 @ 18:41

    Do you know, if there is a solution, which does NOT require root access?

  • Kanth Jan 8, 2018 @ 19:59

    This doesn’t seem to work on any centos box I have built on top of VMWARE..
    All I am getting out of them is
    STATUS:

    And nothing… beside the status line.
    This is centos 7 minimal, fully patched.

  • Kanth Jan 8, 2018 @ 20:01

    Full output

    [/root] # ./spectre-meltdown-checker.sh
    Spectre and Meltdown mitigation detection tool v0.16

    Checking vulnerabilities against Linux 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Jan 4 01:06:37 UTC 2018 x86_64

    CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’
    * Kernel compiled with LFENCE opcode inserted at the proper places: YES (112 opcodes found, which is >= 70)
    > STATUS: NOT VULNERABLE

    CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
    * Mitigation 1
    * Hardware (CPU microcode) support for mitigation: YES
    * Kernel support for IBRS: YES
    * IBRS enabled for Kernel space: NO
    * IBRS enabled for User space: NO
    * Mitigation 2
    * Kernel compiled with retpoline option: NO
    * Kernel compiled with a retpoline-aware compiler: NO
    > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

    CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
    * Kernel supports Page Table Isolation (PTI): YES
    * PTI enabled and active: YES
    > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)

    • 🐧 Vivek Gite Jan 8, 2018 @ 20:31

      Seems like you are patched your system. Make sure VMWare is patched too.

      • Kanth Jan 9, 2018 @ 2:48

        Interesting.. the code doesn’t show the whole NOT VULNERABLE message on my screen.. but it obviously cut and pasted it in here.

  • Bhaskar Chowdhury Jan 9, 2018 @ 2:52

    O fuck …

    bhaskar@LinuxMint_08:17:23_Tue Jan 09:~>sudo ./spectre-meltdown-checker.sh
    Spectre and Meltdown mitigation detection tool v0.17

    Checking for vulnerabilities against live running kernel Linux 4.14.11-041411-generic #201801022143 SMP Tue Jan 2 21:44:21 UTC 2018 x86_64
    Will use vmlinux image /boot/vmlinuz-4.14.11-041411-generic
    Will use kconfig /boot/config-4.14.11-041411-generic
    Will use System.map file /boot/System.map-4.14.11-041411-generic

    CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’
    * Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 42 opcodes found, should be >= 70)
    > STATUS: VULNERABLE

    CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
    * Mitigation 1
    * Hardware (CPU microcode) support for mitigation: NO
    * Kernel support for IBRS: NO
    * IBRS enabled for Kernel space: NO
    * IBRS enabled for User space: NO
    * Mitigation 2
    * Kernel compiled with retpoline option: NO
    * Kernel compiled with a retpoline-aware compiler: NO
    > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

    CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
    * Kernel supports Page Table Isolation (PTI): YES
    * PTI enabled and active: YES
    > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)

  • N Babu Jan 9, 2018 @ 5:59

    sir i have an old netbook samsung N150 with Intel(R) Atom(TM) CPU N450 @ 1.66GHz with 1gb ram and loaded with LUbuntu 16.04 LTS updated as on today. I ran the util and getting the following :

    Spectre and Meltdown mitigation detection tool v0.17

    Checking for vulnerabilities against live running kernel Linux 4.10.0-42-generic #46~16.04.1-Ubuntu SMP Mon Dec 4 15:57:59 UTC 2017 x86_64
    Will use vmlinux image /boot/vmlinuz-4.10.0-42-generic
    Will use kconfig /boot/config-4.10.0-42-generic
    Will use System.map file /boot/System.map-4.10.0-42-generic

    CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’
    * Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 37 opcodes found, should be >= 70)
    > STATUS: VULNERABLE

    CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
    * Mitigation 1
    * Hardware (CPU microcode) support for mitigation: NO
    * Kernel support for IBRS: NO
    * IBRS enabled for Kernel space: NO
    * IBRS enabled for User space: NO
    * Mitigation 2
    * Kernel compiled with retpoline option: NO
    * Kernel compiled with a retpoline-aware compiler: NO
    > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

    CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
    * Kernel supports Page Table Isolation (PTI): NO
    * PTI enabled and active: NO
    > STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)

    pls help.
    Thanks and Regards

  • Mathew Jan 9, 2018 @ 9:43

    Hi vivek and thanks for the post.
    I have patched and tested my centos 6 install and am seeing similar output to your centos 7 grab in post, basically that the spectre variant 2 is vulnerable.

    Is this as expected at this stage with centos?
    Should we expect more patches?
    Thanks

    • 🐧 Vivek Gite Jan 10, 2018 @ 11:37

      yes more patches and microcode update from Intel will hit within next 2-4 weeks. It might take longer. Basically you must install all those updates when released for your distro.

  • Dan Jan 9, 2018 @ 12:59

    Does this check whether your *hardware* is vulnerable to the bugs in the first place, or simply whether your kernel has been patched?

  • noel Jan 9, 2018 @ 13:15

    sh /tmp/spectre-meltdown-checker.sh

    Spectre and Meltdown mitigation detection tool v0.19
    
    Checking for vulnerabilities against live running kernel Linux 2.6.32-504.23.4.el6.x86_64 #1 SMP Fri May 29 10:16:43 EDT 2015 x86_64
    Will use vmlinux image /boot/vmlinuz-2.6.32-504.23.4.el6.x86_64
    Will use kconfig /boot/config-2.6.32-504.23.4.el6.x86_64
    Will use System.map file /proc/kallsyms
    
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Checking count of LFENCE opcodes in kernel:  NO  (only 17 opcodes found, should be >= 70)
    > STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)
    
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigation 1
    *   Hardware (CPU microcode) support for mitigation:  YES
    *   Kernel support for IBRS:  NO
    *   IBRS enabled for Kernel space:  NO
    *   IBRS enabled for User space:  NO
    * Mitigation 2
    *   Kernel compiled with retpoline option:  NO
    *   Kernel compiled with a retpoline-aware compiler:  NO
    > STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)
    
    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Kernel supports Page Table Isolation (PTI):  NO
    * PTI enabled and active:  NO
    > STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)
    
    - PRODUCTION]# uptime
     14:12:39 up 656 days, 18:38,  1 user,  load average: 0.37, 0.12, 0.03
    haven't patched my system for more than an year but its doesn't shows as vulnerable
    
  • Charls Bags Jan 9, 2018 @ 13:39

    Hi,

    I’ checking several servers (phisical and virtual), but most of them seems to be not vulnerable, and it’s trange, es:

    VM in ESXi 5.5, CPU : Intel(R) Xeon(R) CPU E5-2697 v2 @ 2.70GHz

    According to Intel is Affected (https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr),

    output of the script:

    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Checking count of LFENCE opcodes in kernel:  NO  (only 17 opcodes found, should be >= 70)
    > STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)
    
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigation 1
    *   Hardware (CPU microcode) support for mitigation:  YES
    *   Kernel support for IBRS:  NO
    *   IBRS enabled for Kernel space:  NO
    *   IBRS enabled for User space:  NO
    * Mitigation 2
    *   Kernel compiled with retpoline option:  NO
    *   Kernel compiled with a retpoline-aware compiler:  NO
    > STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)
    
    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Kernel supports Page Table Isolation (PTI):  NO
    * PTI enabled and active:  NO
    > STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)
    
  • Todd Jan 9, 2018 @ 14:00

    This script reports “your CPU vendor reported your CPU model as not vulnerable” if CPU Part and CPU Architecture aren’t present in /proc/cpuinfo, as I’m seeing with OEL 6 at least.

  • Charles Jan 9, 2018 @ 18:55

    this doesn’t seem to work on i386 kernels, at least for Ubuntu 16.04. returns false positive saying NOT VULNERABLE for Variant 1 even though kernel was compiled in July.

    unless i386 is not vulnerable to Meltdown/Spectre..?

    • Jean-Michel Jan 12, 2018 @ 20:15

      Yes Charles, processors up to Pentium MMX are not vulnerable.

      • Charles Jan 15, 2018 @ 14:41

        yes but these are newer opteron processors. system runs under vmware; some vms are 32bit and others 64bit. the 64bit vms show vulnerable but the 32bit don’t. makes me think this script is not 100% reliable

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre>, <code>...</code> and <kbd>...</kbd> for code samples.