Meltdown/Spectre Vulnerability Checker for Linux

Chances are you’ve stumbled across about 5000 security bulletins in the past few weeks covering the prematurely disclosed Meltdown and Spectre vulnerabilities. If not, take a moment to read the link I just gave you.

TL;DR almost every modern operating system and CPU are vulnerable to a class of attacks that could result in stolen data or worse. Unfortunately these attacks are made possible by fundamental design flaws, and fixes are going to require a combination of firmware patches, CPU microcode updates, OS updates, and general software updates.

Of course, with shit flying in all directions, what you really need to know is, “How vulnerable¬†am I?

A recent post from our friends at¬†linked to this helpful Linux command line script. It is a work-in-progress, and as the author notes, it “does its best” to probe your vulnerability without actually running any exploits. At publication time, the script focuses on the following:

CVE-2017-5753 bounds check bypass (Spectre Variant 1)

  • Impact: Kernel & all software
  • Mitigation: recompile software and kernel with a modified compiler that introduces the LFENCE opcode at the proper positions in the resulting code
  • Performance impact of the mitigation: negligible

CVE-2017-5715 branch target injection (Spectre Variant 2)

  • Impact: Kernel
  • Mitigation 1: new opcode via microcode update that should be used by up to date compilers to protect the BTB (by flushing indirect branch predictors)
  • Mitigation 2: introducing “retpoline” into compilers, and recompile software/OS with it
  • Performance impact of the mitigation: high for mitigation 1, medium for mitigation 2, depending on your CPU

CVE-2017-5754 rogue data cache load (Meltdown)

  • Impact: Kernel
  • Mitigation: updated kernel (with PTI/KPTI patches), updating the kernel is enough
  • Performance impact of the mitigation: low to medium

For more information or to download the script, view the project on Github.