Earlier this week, a team of researchers at Google's Project Zero have discovered about Meltdown and Spectre vulnerabilities that affected many modern processors, including certain processors by Intel, AMD and ARM. Even though AMD has claimed that there is zero chance for their processors to be affected by these flaws, the researchers have indicated that the Meltdown vulnerability is exclusive to Intel processors, while the Spectre vulnerability can possibly affect some Intel, AMD, and ARM processors.
According to Wired, "the Intel, AMD and ARM manufacturers are closely working and collaborating with hardware companies that ships their processors and software companies like Apple, Google, Microsoft, the Linux foundation to release patches for these security flaws. We can't assure the patches will completely solve these issues. But, at least, better than it seemed first".
Table of Contents
What can you do right now?
Greg Kroah-Hartman has already announced the release of the 4.14.12, 4.9.75, and 4.4.110 stable kernels that comes with meltdown and Spectre fixes. So, if you're using either Intel or AMD or ARM processor, it is highly recommended to check if your Linux system is affected with Meltdown And Spectre vulnerabilities and patch it immediately by updating the latest Linux kernel. If your Linux distro doesn't have the latest Linux kernel updates yet, It is strongly recommended to change your Linux distribution right now.
Check For Meltdown And Spectre Vulnerabilities
On Arch Linux and derivatives, you can find out if your system is affected with meltdown/spectre vulnerabilities using the following two commands.
$ zgrep CONFIG_PAGE_TABLE_ISOLATION /proc/config.gz
$ dmesg | grep iso
If the above commands returns NOTHING, your system is not patched yet. So, you need to update your Arch based system using command:
$ sudo pacman -Syu
After fully updating your Arch system, reboot and run the above commands again. If your system is patched, you should see the following output for the first command:
CONFIG_PAGE_TABLE_ISOLATION=y
And you will get this output for the second command.
[ 0.000000] Kernel/User page tables isolation: enabled
I already have updated the Kernel in my Arch system. As you see in the above output, my Linux kernel is 4.14.12-1-ARCH and it is already patched. If you didn't update your Arch system yet, you won't get any output.
The above commands might not work in Ubuntu. Thankfully, some good Samaritans on Askubuntu forum has posted a workaround to find if your Ubuntu systems are patched or not patched using any one of the following commands.
$ grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched :)" || echo "unpatched :("
$ grep cpu_insecure /proc/cpuinfo && echo "patched :)" || echo "unpatched :("
$ dmesg | grep "Kernel/User page tables isolation: enabled" && echo "patched :)" || echo "unpatched :("
If the output is unpatched, your system is not patched yet. Update the kernel immediately to apply the patches.
I still use 4.4.0-104-generic in my Ubuntu system, so I get 'unpatched' in the result to all commands.
Go update your Kernel immediately using command:
$ sudo apt-get update
$ sudo apt-get dist-upgrade
Or, as described in the following link.
After updating your kernel, run those three commands again, and you will see your Ubuntu system is patched!
For other Linux distributions, there is a script named "Spectre & Meltdown Checker" to check the Meltdown/Spectre vulnerabilities. This script will help to find if your Linux installation is vulnerable against the 3 "speculative execution" CVEs.
Git clone this script:
$ git clone https://github.com/speed47/spectre-meltdown-checker.git
This will clone all contents in a directory named "spectre-meltdown-checker" in your current working directory.
Go to that directory:
$ cd spectre-meltdown-checker/
Make the script executable:
$ chmod +x spectre-meltdown-checker.sh
Finally run it to find the vulnerabilities:
$ sudo ./spectre-meltdown-checker.sh
Here is the sample output from my patched Ubuntu system:
Without options, it'll inspect you currently running kernel. You can also specify a kernel image on the command line, if you'd like to inspect a kernel you're not running.
Update:
The spectre-meltdown-checker script is available in the official repositories of some Linux distributions.
On Debian, Ubuntu:
$ sudo apt install spectre-meltdown-checker
On CentOS, RHEL:
$ sudo yum install epel-release
$ sudo yum install spectre-meltdown-checker
On Fedora:
$ sudo dnf install $ sudo apt install spectre-meltdown-checker
After installing spectre-meltdown-checker, run it as root user or with sudo privileges to check for Spectre and Meltdown vulnerabilities:
$ sudo spectre-meltdown-checker
Sample output:
Spectre and Meltdown mitigation detection tool v0.37 Checking for vulnerabilities on current system Kernel is Linux 4.15.0-91-generic #92-Ubuntu SMP Fri Feb 28 11:09:48 UTC 2020 x86_64 CPU is Intel(R) Core(TM) i3-2350M CPU @ 2.30GHz Hardware check * Hardware support (CPU microcode) for mitigation techniques * Indirect Branch Restricted Speculation (IBRS) * SPEC_CTRL MSR is available: NO * CPU indicates IBRS capability: NO * Indirect Branch Prediction Barrier (IBPB) * PRED_CMD MSR is available: NO * CPU indicates IBPB capability: NO * Single Thread Indirect Branch Predictors (STIBP) * SPEC_CTRL MSR is available: NO * CPU indicates STIBP capability: NO * Enhanced IBRS (IBRS_ALL) * CPU indicates ARCH_CAPABILITIES MSR availability: NO * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO * CPU microcode is known to cause stability problems: NO (model 42 stepping 7 ucode cpuid 0x206a7) * CPU vulnerability to the three speculative execution attack variants * Vulnerable to Variant 1: YES * Vulnerable to Variant 2: YES * Vulnerable to Variant 3: YES CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' * Mitigated according to the /sys interface: NO (Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers) * Kernel has array_index_mask_nospec (x86): UNKNOWN (couldn't check (missing 'readelf' tool, please install it, usually it's in the 'binutils' package)) * Kernel has the Red Hat/Ubuntu patch: UNKNOWN (missing 'strings' tool, please install it, usually it's in the binutils package) * Kernel has mask_nospec64 (arm): UNKNOWN (couldn't check (missing 'readelf' tool, please install it, usually it's in the 'binutils' package)) * Checking count of LFENCE instructions following a jump in kernel... UNKNOWN (couldn't check (missing 'readelf' tool, please install it, usually it's in the 'binutils' package)) > STATUS: VULNERABLE (Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers) CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' * Mitigated according to the /sys interface: NO (Vulnerable, STIBP: disabled) * Mitigation 1 * Kernel is compiled with IBRS support: YES * IBRS enabled and active: UNKNOWN * Kernel is compiled with IBPB support: UNKNOWN (in offline mode, we need the kernel image to be able to tell) * IBPB enabled and active: NO * Mitigation 2 * Kernel has branch predictor hardening (arm): NO * Kernel compiled with retpoline option: YES > STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability) > How to fix: To mitigate this vulnerability, you need either IBRS + IBPB, both requiring hardware support from your CPU microcode in addition to kernel support, or a kernel compiled with retpoline and IBPB, with retpoline requiring a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware) and IBPB requiring hardware support from your CPU microcode. The retpoline + IBPB approach is generally preferred as the performance impact is lower. More information about how to enable the missing bits for those two possible mitigations on your system follow. You only need to take one of the two approaches. > How to fix: The microcode of your CPU needs to be upgraded to be able to use IBPB. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). An updated CPU microcode will have IBRS/IBPB capabilities indicated in the Hardware Check section above. If you're running under an hypervisor (KVM, Xen, VirtualBox, VMware, ...), the hypervisor needs to be up to date to be able to export the new host CPU flags to the guest. You can run this script on the host to check if the host CPU is IBRS/IBPB. If it is, and it doesn't show up in the guest, upgrade the hypervisor. > How to fix: Your kernel doesn't have IBPB support, so you need to either upgrade your kernel (if you're using a distro) or recompiling a more recent kernel. > How to fix: The microcode of your CPU needs to be upgraded to be able to use IBRS. This is usually done at boot time by your kernel (the upgrade is not persistent across reboots which is why it's done at each boot). If you're using a distro, make sure you are up to date, as microcode updates are usually shipped alongside with the distro kernel. Availability of a microcode update for you CPU model depends on your CPU vendor. You can usually find out online if a microcode update is available for your CPU by searching for your CPUID (indicated in the Hardware Check section). An updated CPU microcode will have IBRS/IBPB capabilities indicated in the Hardware Check section above. If you're running under an hypervisor (KVM, Xen, VirtualBox, VMware, ...), the hypervisor needs to be up to date to be able to export the new host CPU flags to the guest. You can run this script on the host to check if the host CPU is IBRS/IBPB. If it is, and it doesn't show up in the guest, upgrade the hypervisor. CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3' * Mitigated according to the /sys interface: NO (Vulnerable) * Kernel supports Page Table Isolation (PTI): YES * PTI enabled and active: NO * Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant) * Running as a Xen PV DomU: NO > STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability) > How to fix: If you're using a distro kernel, upgrade your distro to get the latest kernel available. Otherwise, recompile the kernel with the CONFIG_PAGE_TABLE_ISOLATION option (named CONFIG_KAISER for some kernels), or the CONFIG_UNMAP_KERNEL_AT_EL0 option (for ARM64) A false sense of security is worse than no security at all, see --disclaimer
As you can see in the above output, the Spectre and Meltdown issues are not yet patched.
Patch Meltdown And Spectre Vulnerabilities
Like I already mentioned, keeping the kernel and your system and all software up to date is highly recommended, as it also gets a lot of other security fixes.
To update/upgrade your Arch Linux, run:
$ sudo pacman -Syu
To update Debian, Ubuntu:
$ sudo apt-get update && sudo apt-get dist-upgrade
To update Fedora:
$ sudo dnf update
To update RHEL/CentOS:
$ sudo yum update
After updating your Linux system, don't forget to reboot it.
Again, please remember that these issues aren't completely resolved yet. You need to keep updating your Linux systems over the next few weeks, until everything gets fixed.
Suggested read:
Resources:
5 comments
Thank you for the update, however, we patched our systems using:
-> sudo apt-get update && sudo apt-get dist-upgrade
and we continue to get the “unpatched 🙁 ” prompt
-> grep cpu_insecure /proc/cpuinfo && echo “patched :)” || echo “unpatched :(”
-> dmesg | grep “Kernel/User page tables isolation: enabled” && echo “patched :)” || echo “unpatched :(”
-> grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo “patched :)” || echo “unpatched :(”
We are running:
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial
https://uploads.disquscdn.com/images/dfe43d182b7c23fcb9ef71fc863c0bc8e6dd59c7403807e07b52da7115f1e716.png https://uploads.disquscdn.com/images/af7c7fd42225acddc4b6029d65cade670e071aff7866a41f32a4ad7df56bbea3.png
Don’t know if you have run into this issue, but let me know if there is something from a kernel rebuild or is there something that we have missed
By the way, just ran apt-get update && apt-get dist-upgrade again and it still says “unpatched 🙁 ”
Let me know if you run across something.
T
Did you restart your machines after applying the dist-upgrade?
Ran the spectre-meltdown-checker, it seems there is a Mitigation 1 vulnerability (IBRS hardware + kernel support), installed the patch on this as well (before this was run). https://uploads.disquscdn.com/images/c3413b84dec7b0254a406e913587c9541c2d002523e68aac6bc7c2d931f4cb7f.png
What we have identified in the Linux and Windows world, it seems that the patches are not comprehensive. We went through extensive tests and kernel distribution updates with no remedy for all of the issues experienced. Oh well, we have to wait for the distros and the CPU Mfg to provide a patch that is comprehensive. Anyway, thank you for your insight. https://uploads.disquscdn.com/images/80b3700d1ab401cea2eefaf466da413cb3b8db9667ca89a5c35676ebe6ab6285.png
Does NOT work.
I am running kernel 4.15.0-34-generic and ran the command to check for the vulnerability and it came up “unpatched :(“.
My processor is an AMD Phenom II x4 965
There’s something wrong with the checker!