How To Check For Meltdown And Spectre Vulnerabilities And Patch Them In Linux
Earlier this week, a team of researchers at Google’s Project Zero have discovered about Meltdown and Spectre vulnerabilities that affected many modern processors, including certain processors by Intel, AMD and ARM. Even though AMD has claimed that there is zero chance for their processors to be affected by these flaws, the researchers have indicated that the Meltdown vulnerability is exclusive to Intel processors, while the Spectre vulnerability can possibly affect some Intel, AMD, and ARM processors.
According to Wired, “the Intel, AMD and ARM manufacturers are closely working and collaborating with hardware companies that ships their processors and software companies like Apple, Google, Microsoft, the Linux foundation to release patches for these security flaws. We can’t assure the patches will completely solve these issues. But, at least, better than it seemed first”.
What can you do right now?
Greg Kroah-Hartman has already announced the release of the 4.14.12, 4.9.75, and 4.4.110 stable kernels that comes with meltdown and Spectre fixes. So, if you’re using either Intel or AMD or ARM processor, it is highly recommended to check if your Linux system is affected with Meltdown And Spectre vulnerabilities and patch it immediately by updating the latest Linux kernel. If your Linux distro doesn’t have the latest Linux kernel updates yet, It is strongly recommended to change your Linux distribution right now.
Check For Meltdown And Spectre Vulnerabilities
On Arch Linux and derivatives, you can find out if your system is affected with meltdown/spectre vulnerabilities using the following two commands.
$ zgrep CONFIG_PAGE_TABLE_ISOLATION /proc/config.gz
$ dmesg | grep iso
If the above commands returns NOTHING, your system is not patched yet. So, you need to update your Arch based system using command:
sudo pacman -Syu
After fully updating your Arch system, reboot and run the above commands again. If your system is patched, you should see the following output for the first command:
And you will get this output for the second command.
[ 0.000000] Kernel/User page tables isolation: enabled
I already have updated the Kernel in my Arch system. As you see in the above output, my Linux kernel is 4.14.12-1-ARCH and it is already patched. If you didn’t update your Arch system yet, you won’t get any output.
The above commands might not work in Ubuntu. Thankfully, some good Samaritans on Askubuntu forum has posted a workaround to find if your Ubuntu systems are patched or not patched using any one of the following commands.
$ grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched :)" || echo "unpatched :("
$ grep cpu_insecure /proc/cpuinfo && echo "patched :)" || echo "unpatched :("
$ dmesg | grep "Kernel/User page tables isolation: enabled" && echo "patched :)" || echo "unpatched :("
If the output is unpatched, your system is not patched yet. Update the kernel immediately to apply the patches.
I still use 4.4.0-104-generic in my Ubuntu system, so I get ‘unpatched’ in the result to all commands.
Go update your Kernel immediately using command:
sudo apt-get update
sudo apt-get dist-upgrade
Or, as described in the following link.
- Linux Kernel Utilities – Scripts To Compile And Update Latest Linux Kernel For Debian And Derivatives
After updating your kernel, run those three commands again, and you will see your Ubuntu system is patched!
For other Linux distributions, there is a script named “Spectre & Meltdown Checker” to check the Meltdown/Spectre vulnerabilities. This script will help to find if your Linux installation is vulnerable against the 3 “speculative execution” CVEs.
Git clone this script:
git clone https://github.com/speed47/spectre-meltdown-checker.git
This will clone all contents in a directory named “spectre-meltdown-checker” in your current working directory.
Go to that directory:
Make the script executable:
chmod +x spectre-meltdown-checker.sh
Finally run it to find the vulnerabilities:
Here is the sample output from my patched Ubuntu system:
Without options, it’ll inspect you currently running kernel. You can also specify a kernel image on the command line, if you’d like to inspect a kernel you’re not running.
Patch Meltdown And Spectre Vulnerabilities
Like I already mentioned, keeping the kernel and your system and all software up to date is highly recommended, as it also gets a lot of other security fixes.
To update/upgrade your Arch Linux, run:
sudo pacman -Syu
To update Debian, Ubuntu:
sudo apt-get update && sudo apt-get dist-upgrade
To update Fedora:
sudo dnf update
To update RHEL/CentOS:
sudo yum update
After updating your Linux system, don’t forget to reboot it.
Again, please remember that these issues aren’t completely resolved yet. You need to keep updating your Linux systems over the next few weeks, until everything gets fixed.