(Solved)Vulnerable to Meltdown & Spectre

New to Debian (Or Linux in general)? Ask your questions here!

(Solved)Vulnerable to Meltdown & Spectre

Postby sarksloane » 2018-01-16 04:15

Hi, please advise, what shall i do? i saw in my twitter account http://news.softpedia.com/news/how-to-check-if-your-linux-pc-is-vulnerable-to-meltdown-spectre-security-flaws-519364.shtml

Code: Select all
root@debian:/tmp/spectre-meltdown-checker-0.31# sh ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.31

Checking for vulnerabilities against running kernel Linux 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64
CPU is Intel(R) Xeon(R) CPU E5540 @ 2.53GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO
> STATUS:  VULNERABLE  (only 25 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation
*     The SPEC_CTRL MSR is available:  NO
*     The SPEC_CTRL CPUID feature bit is set:  NO
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Checking if we're running under Xen PV (64 bits):  NO
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
root@debian:/tmp/spectre-meltdown-checker-0.31#
Last edited by sarksloane on 2018-01-16 16:54, edited 1 time in total.
sarksloane
 
Posts: 66
Joined: 2017-01-17 04:21

Re: Vulnerable to Meltdown & Spectre

Postby dilberts_left_nut » 2018-01-16 04:28

sarksloane wrote:please advise, what shall i do?
Same as always - be careful what code you run.
AdrianTM wrote:There's no hacker in my grandma...
User avatar
dilberts_left_nut
 
Posts: 4771
Joined: 2009-10-05 07:54
Location: enzed

Re: Vulnerable to Meltdown & Spectre

Postby bw123 » 2018-01-16 14:28

The link you provided tells you what to do, unfortunately it doesn't say where to get firmware or kernel that will pass the test. It only links to articles that link to other articles, that link to more links...

If you see that your Linux computer is vulnerable to both variants of the Spectre attack, make sure you install the microcode firmware for your Intel or AMD CPU, as well as to use a kernel compiled with retpoline option and a retpoline-aware compiler.


More interesting to me was the privacy policy of the site you linked...
http://www.softpedia.com/user/privacy.shtml
Softpedia allows other companies, called third-party ad servers or ad networks, to serve advertisements within the Softpedia site. These third-party ad servers or ad networks use technology to send, directly to your browser, the advertisements and links that appear on the Softpedia site. They automatically receive your IP address when this happens. They may also use other technologies (such as cookies, JavaScript, or Web Beacons) to measure the effectiveness of their advertisements and to personalize the advertising content you see.


People who want the checker can get it here, bypassing the article
https://github.com/speed47/spectre-meltdown-checker

It says in the output that you posted that you are not vulnerable to meltdown, so again, I don't understand the question. The post looks a little spammy to me.
User avatar
bw123
 
Posts: 2763
Joined: 2011-05-09 06:02
Location: TN_USA

Re: Vulnerable to Meltdown & Spectre

Postby GarryRicketson » 2018-01-16 15:33

I wouldn't touch any thing coming from softpedia, and certainly wouldn't run some script they put on there.
dilberts_left_nut wrote:
sarksloane wrote:please advise, what shall i do?
Same as always - be careful what code you run.
User avatar
GarryRicketson
 
Posts: 4726
Joined: 2015-01-20 22:16
Location: Durango, Mexico

Re: Vulnerable to Meltdown & Spectre

Postby sarksloane » 2018-01-16 16:54

Thank you very much guys for your advise. I'll take this as a serious advise and great lesson.

My Apology for my carelessness and next time I would be more careful.

Again, thank you for your feedback.
sarksloane
 
Posts: 66
Joined: 2017-01-17 04:21

Re: (Solved)Vulnerable to Meltdown & Spectre

Postby stevepusser » 2018-01-17 04:58

The script has no connection or sponsorship from Softpedia; they just gave a link to it. It's already been directly referenced several times in other threads here.

I hope they don't put 70 LFENCEs in the kernel, since that's a flag to disable speculation, and would really slow it down.

Retpoline support is not currently in the main kernel tree.
The MX Linux repositories: Backports galore! If we don't have something, just ask and we'll try--we like challenges. New packages: Krita 3.3.3, Pale Moon 27.7.2, Yacreader 9.0rc1, Calligra 3.1, VLC 3.0.0, Firefox 58.0.2, QMPlay2 17.12.31
User avatar
stevepusser
 
Posts: 9222
Joined: 2009-10-06 05:53


Return to Beginners Questions

Who is online

Users browsing this forum: No registered users and 4 guests

fashionable