How to check Linux for Spectre and Meltdown vulnerability

How do I check if my Linux server is still vulnerable to Spectre and Meltdown CPU bugs?

Spectre & Meltdown Checker is a shell script that check for the following Intel/AMD/ARM and other CPUs for bugs:

  1. CVE-2017-5753: bounds check bypass (Spectre Variant 1). You need to recompile software and kernel with a modified compiler that introduces the LFENCE opcode at the proper positions in the resulting code. The performance impact of the mitigation is negligible.
  2. CVE-2017-5715: branch target injection (Spectre Variant 2). The performance impact of the mitigation depending on your CPU.
  3. CVE-2017-5754: rogue data cache load (Meltdown). You must install updated kernel version with PTI/KPTI patches. Updating the kernel is enough. The performance impact of the mitigation is low to medium.

spectre-meltdown-checker.sh is a simple shell script to find out if your Linux kernel (installation) is vulnerable against the 3 “speculative execution” CVEs. Use this script to check or see if you are still vulnerable to Meltdown and Spectre CPU bugs after applying kernel patches.

Installation

The script must be run as root user. You can view source code here. Use the wget command or curl command to grab the source code on your Linux box:
$ cd /tmp/
$ wget https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh

OR
$ git clone https://github.com/speed47/spectre-meltdown-checker.git
Sample outputs:

Cloning into 'spectre-meltdown-checker'...
remote: Counting objects: 155, done.
remote: Compressing objects: 100% (20/20), done.
remote: Total 155 (delta 18), reused 21 (delta 10), pack-reused 125
Receiving objects: 100% (155/155), 49.78 KiB | 145.00 KiB/s, done.
Resolving deltas: 100% (88/88), done.

Cloning into ‘spectre-meltdown-checker’…
remote: Counting objects: 155, done.
remote: Compressing objects: 100% (20/20), done.
remote: Total 155 (delta 18), reused 21 (delta 10), pack-reused 125
Receiving objects: 100% (155/155), 49.78 KiB | 145.00 KiB/s, done.
Resolving deltas: 100% (88/88), done.

How to check Linux for Spectre and Meltdown vulnerability

Run the script as root user using sudo command or su command:
$ sudo sh spectre-meltdown-checker.sh
Sample outputs from Ubuntu Linux desktop:

[sudo] password for vivek: 
Spectre and Meltdown mitigation detection tool v0.16
 
Checking vulnerabilities against Linux 4.13.0-21-generic #24-Ubuntu SMP Mon Dec 18 17:29:16 UTC 2017 x86_64
 
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel compiled with LFENCE opcode inserted at the proper places:  NO  (only 42 opcodes found, should be >= 70)
> STATUS:  VULNERABLE 
 
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
 
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO 
* PTI enabled and active:  NO 
> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)

[sudo] password for vivek:
Spectre and Meltdown mitigation detection tool v0.16 Checking vulnerabilities against Linux 4.13.0-21-generic #24-Ubuntu SMP Mon Dec 18 17:29:16 UTC 2017 x86_64 CVE-2017-5753 [bounds check bypass] aka ‘Spectre Variant 1’
* Kernel compiled with LFENCE opcode inserted at the proper places: NO (only 42 opcodes found, should be >= 70)
> STATUS: VULNERABLE CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability) CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
* Kernel supports Page Table Isolation (PTI): NO
* PTI enabled and active: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)

Another output from my CentOS 7.x server where Meltdown/Spectre v1 was patched with Kernel:
$ sudo sh spectre-meltdown-checker.sh

Spectre Meltdown vulnerability mitigation detection check tool for Linux (click to enlarge)

How to apply microcode update supplied by Intel on Linux

See “How to install/update Intel microcode firmware on Linux” for more info.

For more info see the official github page here.

Posted by: SXI ADMIN

The author is the creator of SXI LLC and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.