How To Check For Meltdown And Spectre Vulnerabilities And Patch Them In Linux

Meltdown And Spectre Vulnerabilities

Earlier this week, a team of researchers at Google’s Project Zero have discovered about Meltdown and Spectre vulnerabilities that affected many modern processors, including certain processors by Intel, AMD and ARM. Even though AMD has claimed that there is zero chance for their processors to be affected by these flaws, the researchers have indicated that the Meltdown vulnerability is exclusive to Intel processors, while the Spectre vulnerability can possibly affect some Intel, AMD, and ARM processors.

According to Wired, “the Intel, AMD and ARM manufacturers are closely working and collaborating with hardware companies that ships their processors and software companies like Apple, Google, Microsoft, the Linux foundation to release patches for these security flaws. We can’t assure the patches will completely solve these issues. But, at least, better than it seemed first”.

What can you do right now?

Greg Kroah-Hartman has already announced the release of the 4.14.12, 4.9.75, and 4.4.110 stable kernels that comes with meltdown and Spectre fixes. So, if you’re using either Intel or AMD or ARM processor, it is highly recommended to check if your Linux system is affected with Meltdown And Spectre vulnerabilities and patch it immediately by updating the latest Linux kernel. If your Linux distro doesn’t  have the latest Linux kernel updates yet, It is strongly recommended to change your Linux distribution right now.

Check For Meltdown And Spectre Vulnerabilities

On Arch Linux and derivatives, you can find out if your system is affected with meltdown/spectre vulnerabilities using the following two commands.

$ zgrep CONFIG_PAGE_TABLE_ISOLATION /proc/config.gz
$ dmesg | grep iso

If the above commands returns NOTHING, your system is not patched yet. So, you need to update your Arch based system using command:

sudo pacman -Syu

After fully updating your Arch system, reboot and run the above commands again. If your system is patched, you should see the following output for the first command:

CONFIG_PAGE_TABLE_ISOLATION=y

And you will get this output for the second command.

[ 0.000000] Kernel/User page tables isolation: enabled

I already have updated the Kernel in my Arch system. As you see in the above output, my Linux kernel is 4.14.12-1-ARCH and it is already patched. If you didn’t update your Arch system yet, you won’t get any output.

The above commands might not work in Ubuntu. Thankfully, some good Samaritans on Askubuntu forum has posted a workaround to find if your Ubuntu systems are patched or not patched using any one of the following commands.

$ grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched :)" || echo "unpatched :("
$ grep cpu_insecure /proc/cpuinfo && echo "patched :)" || echo "unpatched :("
$ dmesg | grep "Kernel/User page tables isolation: enabled" && echo "patched :)" || echo "unpatched :("

If the output is unpatched, your system is not patched yet. Update the kernel immediately to apply the patches.

I still use 4.4.0-104-generic in my Ubuntu system, so I get ‘unpatched’ in the result to all commands.

Go update your Kernel immediately using command:

sudo apt-get update
sudo apt-get dist-upgrade

Or, as described in the following link.

After updating your kernel, run those three commands again, and you will see your Ubuntu system is patched!

For other Linux distributions, there is a script named “Spectre & Meltdown Checker” to check the Meltdown/Spectre vulnerabilities. This script will help to find if your Linux installation is vulnerable against the 3 “speculative execution” CVEs.

Git clone this script:

git clone https://github.com/speed47/spectre-meltdown-checker.git

This will clone all contents in a directory named “spectre-meltdown-checker” in your current working directory.

Go to that directory:

cd spectre-meltdown-checker/

Make the script executable:

chmod +x spectre-meltdown-checker.sh

Finally run it to find the vulnerabilities:

sudo ./spectre-meltdown-checker.sh

Here is the sample output from my patched Ubuntu system:

Without options, it’ll inspect you currently running kernel. You can also specify a kernel image on the command line, if you’d like to inspect a kernel you’re not running.

Patch Meltdown And Spectre Vulnerabilities

Like I already mentioned, keeping the kernel and your system and all software up to date is highly recommended, as it also gets a lot of other security fixes.

To update/upgrade your Arch Linux, run:

sudo pacman -Syu

To update Debian, Ubuntu:

sudo apt-get update && sudo apt-get dist-upgrade

To update Fedora:

sudo dnf update

To update RHEL/CentOS:

sudo yum update

After updating your Linux system, don’t forget to reboot it.

Again, please remember that these issues aren’t completely resolved yet. You need to keep updating your Linux systems over the next few weeks, until everything gets fixed.

Hope this was useful. More good stuffs to come. Stay tuned!

Cheers!

Resources:

Thanks for stopping by!

Help us to help you:

Have a Good day!!

You may also like...

4 Responses

  1. Todd says:

    Thank you for the update, however, we patched our systems using:
    -> sudo apt-get update && sudo apt-get dist-upgrade
    and we continue to get the “unpatched 🙁 ” prompt
    -> grep cpu_insecure /proc/cpuinfo && echo “patched :)” || echo “unpatched :(”
    -> dmesg | grep “Kernel/User page tables isolation: enabled” && echo “patched :)” || echo “unpatched :(”
    -> grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo “patched :)” || echo “unpatched :(”

    We are running:
    Distributor ID: Ubuntu
    Description: Ubuntu 16.04.3 LTS
    Release: 16.04
    Codename: xenial

    https://uploads.disquscdn.com/images/dfe43d182b7c23fcb9ef71fc863c0bc8e6dd59c7403807e07b52da7115f1e716.png https://uploads.disquscdn.com/images/af7c7fd42225acddc4b6029d65cade670e071aff7866a41f32a4ad7df56bbea3.png

    Don’t know if you have run into this issue, but let me know if there is something from a kernel rebuild or is there something that we have missed

    By the way, just ran apt-get update && apt-get dist-upgrade again and it still says “unpatched 🙁 ”

    Let me know if you run across something.

    T

  2. Todd says:

    Ran the spectre-meltdown-checker, it seems there is a Mitigation 1 vulnerability (IBRS hardware + kernel support), installed the patch on this as well (before this was run). https://uploads.disquscdn.com/images/c3413b84dec7b0254a406e913587c9541c2d002523e68aac6bc7c2d931f4cb7f.png

  3. Todd says:

    What we have identified in the Linux and Windows world, it seems that the patches are not comprehensive. We went through extensive tests and kernel distribution updates with no remedy for all of the issues experienced. Oh well, we have to wait for the distros and the CPU Mfg to provide a patch that is comprehensive. Anyway, thank you for your insight. https://uploads.disquscdn.com/images/80b3700d1ab401cea2eefaf466da413cb3b8db9667ca89a5c35676ebe6ab6285.png

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.