(Solved)Vulnerable to Meltdown & Spectre

[sarksloane]

Hi, please advise, what shall i do? i saw in my twitter account http://news.softpedia.com/news/how-to-c ... 9364.shtml

Code: Select all

root@debian:/tmp/spectre-meltdown-checker-0.31# sh ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.31

Checking for vulnerabilities against running kernel Linux 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64
CPU is Intel(R) Xeon(R) CPU E5540 @ 2.53GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 25 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation
*     The SPEC_CTRL MSR is available:  NO 
*     The SPEC_CTRL CPUID feature bit is set:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
* Checking if we're running under Xen PV (64 bits):  NO 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
root@debian:/tmp/spectre-meltdown-checker-0.31# 

[dilberts_left_nut]

please advise, what shall i do?

Same as always - be careful what code you run.

[bw123]

The link you provided tells you what to do, unfortunately it doesn't say where to get firmware or kernel that will pass the test. It only links to articles that link to other articles, that link to more links...

If you see that your Linux computer is vulnerable to both variants of the Spectre attack, make sure you install the microcode firmware for your Intel or AMD CPU, as well as to use a kernel compiled with retpoline option and a retpoline-aware compiler.

More interesting to me was the privacy policy of the site you linked...
http://www.softpedia.com/user/privacy.shtml

Softpedia allows other companies, called third-party ad servers or ad networks, to serve advertisements within the Softpedia site. These third-party ad servers or ad networks use technology to send, directly to your browser, the advertisements and links that appear on the Softpedia site. They automatically receive your IP address when this happens. They may also use other technologies (such as cookies, JavaScript, or Web Beacons) to measure the effectiveness of their advertisements and to personalize the advertising content you see.

People who want the checker can get it here, bypassing the article
https://github.com/speed47/spectre-meltdown-checker

It says in the output that you posted that you are not vulnerable to meltdown, so again, I don't understand the question. The post looks a little spammy to me.

[GarryRicketson]

I wouldn't touch any thing coming from softpedia, and certainly wouldn't run some script they put on there.

please advise, what shall i do?

Same as always - be careful what code you run.

[sarksloane]

Thank you very much guys for your advise. I'll take this as a serious advise and great lesson.

My Apology for my carelessness and next time I would be more careful.

Again, thank you for your feedback.

[stevepusser]

The script has no connection or sponsorship from Softpedia; they just gave a link to it. It's already been directly referenced several times in other threads here.

I hope they don't put 70 LFENCEs in the kernel, since that's a flag to disable speculation, and would really slow it down.

Retpoline support is not currently in the main kernel tree.