Meltdown/Spectre Vulnerability Checker for Linux
Chances are you’ve stumbled across about 5000 security bulletins in the past few weeks covering the prematurely disclosed Meltdown and Spectre vulnerabilities. If not, take a moment to read the link I just gave you.
TL;DR almost every modern operating system and CPU are vulnerable to a class of attacks that could result in stolen data or worse. Unfortunately these attacks are made possible by fundamental design flaws, and fixes are going to require a combination of firmware patches, CPU microcode updates, OS updates, and general software updates.
Of course, with shit flying in all directions, what you really need to know is, “How vulnerable am I?”
A recent post from our friends at Darknet.org.uk linked to this helpful Linux command line script. It is a work-in-progress, and as the author notes, it “does its best” to probe your vulnerability without actually running any exploits. At publication time, the script focuses on the following:
CVE-2017-5753 bounds check bypass (Spectre Variant 1)
- Impact: Kernel & all software
- Mitigation: recompile software and kernel with a modified compiler that introduces the LFENCE opcode at the proper positions in the resulting code
- Performance impact of the mitigation: negligible
CVE-2017-5715 branch target injection (Spectre Variant 2)
- Impact: Kernel
- Mitigation 1: new opcode via microcode update that should be used by up to date compilers to protect the BTB (by flushing indirect branch predictors)
- Mitigation 2: introducing “retpoline” into compilers, and recompile software/OS with it
- Performance impact of the mitigation: high for mitigation 1, medium for mitigation 2, depending on your CPU
CVE-2017-5754 rogue data cache load (Meltdown)
- Impact: Kernel
- Mitigation: updated kernel (with PTI/KPTI patches), updating the kernel is enough
- Performance impact of the mitigation: low to medium
For more information or to download the script, view the project on Github.