LINUX.ORG.RU

Уязвима ли ваша система к Spectre или Meltdown?

 ,


5

2

Разработчики CoreOS представили скрипт для проверки уязвимости вашей системы. Качаем, запускаем, делимся результатами:

https://github.com/speed47/spectre-meltdown-checker

  1. Не могу запустить скрипт, у меня лапки 462 (57%)

    ********************************************************************************************************************************************************************************************************************************************************************************************************************************

  2. Уязвима к Spectre Variant 1 254 (31%)

    *******************************************************************************************************************************************************************************

  3. Уязвима к Spectre Variant 2 245 (30%)

    *************************************************************************************************************************************************************************

  4. Не уязвима к Meltdown 231 (28%)

    ****************************************************************************************************************************************************************

  5. Уязвима к Meltdown 96 (12%)

    ******************************************************************

  6. Не уязвима к Spectre Variant 2 82 (10%)

    ********************************************************

  7. Не уязвима к Spectre Variant 1 74 (9%)

    ***************************************************

Всего голосов: 1444, всего проголосовавших: 815

★★★★★

Проверено: Licwin ()

Ответ на: комментарий от Kron4ek

Ну тогда тебе ничего не грозит :)

да я, собственно, и не беспокоился :)

buratino ★★★★★
()
Checking for vulnerabilities against running kernel Linux 4.14.14-1-ARCH #1 SMP PREEMPT Fri Jan 19 18:42:04 UTC 2018 x86_64
CPU is  Intel(R) Pentium(R) CPU G4620 @ 3.70GHz
     
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking whether we're safe according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
> STATUS:  VULNERABLE  (Vulnerable)
     
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)
     
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Checking whether we're safe according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
> STATUS:  VULNERABLE  (Vulnerable)
Kron4ek ★★★★★
()
Checking for vulnerabilities against running kernel Linux 4.14.13-300.fc27.x86_64 #1 SMP Thu Jan 11 04:00:01 UTC 2018 x86_64
CPU is  Intel(R) Core(TM) i7-8550U CPU @ 1.80GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking whether we're safe according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
> STATUS:  VULNERABLE  (Vulnerable)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Checking whether we're safe according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
> STATUS:  VULNERABLE  (Vulnerable: Minimal generic ASM retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer
Jefail ★★★★
()
Ответ на: комментарий от ashot

Модераторы видят твой IP! Пожалуйста, приведи свой пароль рута в соответствие с паролем от учётной записи на ЛОР, а то нам неудобно.

Aceler ★★★★★
() автор топика

Просто ради смеха

Spectre and Meltdown mitigation detection tool v0.32

Checking for vulnerabilities against running kernel Linux 4.13.16-sunxi #20 SMP Fri Nov 24 19:50:07 CET 2017 armv7l
CPU is ARM v7 model 0xc07

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
Checking count of LFENCE opcodes in kernel:  UNKNOWN
STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
Mitigation 1
  Hardware (CPU microcode) support for mitigation
    The SPEC_CTRL MSR is available:  UNKNOWN  (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
    The SPEC_CTRL CPUID feature bit is set:  UNKNOWN  (couldn't read /dev/cpu/0/cpuidr, is cpuid support enabled in your kernel?)
  Kernel support for IBRS:  NO
  IBRS enabled for Kernel space:  NO
  IBRS enabled for User space:  NO
Mitigation 2
  Kernel compiled with retpoline option:  NO
  Kernel compiled with a retpoline-aware compiler:  NO
STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
Kernel supports Page Table Isolation (PTI):  NO
PTI enabled and active:  UNKNOWN  (dmesg truncated, please reboot and relaunch this script)
Checking if we're running under Xen PV (64 bits):  NO
STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer

Radjah ★★★★★
()

Уязвима к Spectre Variant 2
Не уязвима к Meltdown
Не уязвима к Spectre Variant 1
Linux mint 18.3, ядро 4.13.0-31. Core i5-6400

Promusik ★★★★★
()
Ответ на: комментарий от buratino

правда, там openbsd стоит, скрипт сработает?

Не сработает, скрипт же не эксполиты проверяет, а наличие патчей, для чего использует конфиг ядра и debugfs, которые за пределами Linux, конечно, остутствуют.

Но ты можешь поискать другие скрипты для OpenBSD, нам-то какая разница.

Aceler ★★★★★
() автор топика
Ответ на: комментарий от Aceler

Не сработает, скрипт же не эксполиты проверяет, а наличие патчей

каких патчей? то есть, он теоретик? :)

buratino ★★★★★
()
Spectre and Meltdown mitigation detection tool v0.32

Checking for vulnerabilities against running kernel Linux 4.14.0-3-amd64 #1 SMP Debian 4.14.13-1 (2018-01-14) x86_64
CPU is  AMD Athlon(tm) II X2 270 Processor

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 23 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation
*     The SPEC_CTRL MSR is available:  NO 
*     The SPEC_CTRL CPUID feature bit is set:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  NO 
* Checking if we're running under Xen PV (64 bits):  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer

И... кто расшифрует послание инопланетян?

amd_amd ★★★★★
()
Ответ на: комментарий от amd_amd

И... кто расшифрует послание инопланетян?

А что тут расшифровывать? Неуязвим к Meltdown, уязвим к обоим вариантам Spectre.

Kron4ek ★★★★★
()

оно думает, что у echo есть флаг -e, пытается читать какое-то /proc/cpuinfo... говно ккакое-то для линдузятников

moot ★★★★
()

N3350+Mint18.3(х86-64)(kernel4.13.0-31) - Уязвима для варианта 2( VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability). к 1 и 3 все норм.

Alexonline ★★★★
()
Последнее исправление: Alexonline (всего исправлений: 1)
Ответ на: комментарий от Aceler

amd_amd ★ (23.01.2018 13:38:32) «не учить же из-за этого английский - жизнь слишком коротка что бы ее на ерунду тратить»

intelfx ★★★★★
()
Ответ на: комментарий от SakuraKun

А какая версия ядра у Вас стоит?

4.9.77, последнее 4.9 на текущий момент. 4.9.77-std-def-alt0.M80P.1, если совсем точно.

AS ★★★★★
()
Последнее исправление: AS (всего исправлений: 1)

Не уязвима ни к чему

Spectre and Meltdown mitigation detection tool v0.32

Checking for vulnerabilities against running kernel Linux 4.13.0-30-generic #33~16.04.1-Ubuntu SMP Mon Jan 15 21:31:06 UTC 2018 x86_64
CPU is  Intel(R) Core(TM) i7-4790 CPU @ 3.60GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  YES 
> STATUS:  NOT VULNERABLE  (114 opcodes found, which is >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation
*     The SPEC_CTRL MSR is available:  YES 
*     The SPEC_CTRL CPUID feature bit is set:  YES 
*   Kernel support for IBRS:  YES 
*   IBRS enabled for Kernel space:  YES 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  NOT VULNERABLE  (IBRS mitigates the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
* Checking if we're running under Xen PV (64 bits):  NO 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

LinuxDebian ★★★★
()
Последнее исправление: LinuxDebian (всего исправлений: 1)
Spectre and Meltdown mitigation detection tool v0.32

Checking for vulnerabilities against running kernel Linux 4.14.14-gentoo #5 SMP Sun Jan 21 01:24:02 EET 2018 x86_64
CPU is  Intel(R) Core(TM) i7-4702MQ CPU @ 2.20GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking whether we're safe according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
> STATUS:  VULNERABLE  (Vulnerable)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Checking whether we're safe according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
> STATUS:  VULNERABLE  (Vulnerable: Minimal generic ASM retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)
Singularity ★★★★★
()

Проголосовал за лапки.

А вообще у меня AMD и нет желания запускать скрипты.

Deleted
()

Как запустить скрипт на ипхоне?

сабж

firstep
()

на Spectre можно забить. это раздутая истерия.

wieker ★★
()

Уязвим к Spectre Varian 1

Linux 4.14.14 + I5-3380M

Deleted
()
Ответ на: комментарий от LinuxDebian

Ты же прокомментировал?

ps. мне например вообще не интересно что и у кого там де-то на форуме уязвимо.

Deleted
()
Ответ на: комментарий от moot

Ну да, разработчики CoreOS, конечно, должны были писать скрипт для Lindows.

Aceler ★★★★★
() автор топика
Checking for vulnerabilities against running kernel Linux 4.14.14-1-ARCH #1 SMP PREEMPT Fri Jan 19 18:42:04 UTC 2018 x86_64
CPU is  Intel(R) Core(TM) i5-6600K CPU @ 3.50GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking whether we're safe according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
> STATUS:  VULNERABLE  (Vulnerable)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)
Niroday
()
Spectre and Meltdown mitigation detection tool v0.32

Checking for vulnerabilities against running kernel Linux 4.14.13-1-ARCH #1 SMP PREEMPT Wed Jan 10 11:14:50 UTC 2018 x86_64
CPU is  Intel(R) Core(TM) i7-4810MQ CPU @ 2.80GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 41 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation
*     The SPEC_CTRL MSR is available:  UNKNOWN  (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
*     The SPEC_CTRL CPUID feature bit is set:  UNKNOWN  (couldn't read /dev/cpu/0/cpuidr, is cpuid support enabled in your kernel?)
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
* Checking if we're running under Xen PV (64 bits):  NO 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
kiotoze ★★★★
()

Уязвима к Spectre Variant 1

Не уязвима к Spectre Variant 2

Не уязвима к Meltdown

Motif ★★
()
Последнее исправление: Motif (всего исправлений: 1)
Ответ на: комментарий от r0ck3r

Ну ты спросил :-) Создай тему в форуме и повесь тег федорин, набегут специалисты, расскажут )

Aceler ★★★★★
() автор топика
Ответ на: комментарий от Aceler

лениво что-то)) Да и проблема, на мой взгляд, не такая уж и серьезная: гоняться за очередным неуловимым Джо никто не будет, как мне кажется

r0ck3r ★★★★★
()

Уязвима ко всему. Это хорошо, я не готов жертвовать производительностью, ради безопасности.

pawnhearts ★★★★★
()
Ответ на: комментарий от intelfx

а что сказать то хотел?

STATUS: VULNERABLE STATUS: VULNERABLE STATUS: NOT VULNERABLE

эту шнягу я и так понял, но там столько yes & no - кто бы разжевал это...

amd_amd ★★★★★
()
Не уязвима к Meltdown
Не уязвима к Spectre Variant 1
Не уязвима к Spectre Variant 2
$ uname -a
Linux raspberrypi 4.9.59-v7+ #1047 SMP Sun Oct 29 12:19:23 GMT 2017 armv7l GNU/Linux
whatevar
()
./spectre-meltdown-checker.sh: line 7: syntax error near unexpected token `newline'
./spectre-meltdown-checker.sh: line 7: `<!DOCTYPE html>'

а, ну ясно, не то сохранил

targitaj ★★★★★
()
Последнее исправление: targitaj (всего исправлений: 1)

Свежайший openSUSE Leap 42.3 уязвим только к Variant 2, как фиксить?

Pyzia ★★★★★
()

паражнятина - у меня все машины выдают одно и тоже, amd или intel насрано каких оно годов - результат одинаковый

STATUS: VULNERABLE STATUS: VULNERABLE STATUS: NOT VULNERABLE

amd_amd ★★★★★
()
Spectre and Meltdown mitigation detection tool v0.32

Checking for vulnerabilities against running kernel Linux 4.14.14-1-default #1 SMP PREEMPT Wed Jan 17 09:26:10 UTC 2018 (eef6178) x86_64
CPU is  Intel(R) Pentium(R) Dual  CPU  T2330  @ 1.60GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking whether we're safe according to the /sys interface:  NO  (kernel confirms your system is vulnerable)
> STATUS:  VULNERABLE  (Vulnerable)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Checking whether we're safe according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

A false sense of security is worse than no security at all, see --disclaimer
Grruzchik
()
Spectre and Meltdown mitigation detection tool v0.32

Checking for vulnerabilities against running kernel Linux 4.13.0-26-generic #29~16.04.2-Ubuntu SMP Tue Jan 9 22:00:44 UTC 2018 x86_64
CPU is  AMD FX(tm)-8350 Eight-Core Processor

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: 
 NO 
> STATUS:  VULNERABLE  (only 29 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation
*     The SPEC_CTRL MSR is available:  NO 
*     The SPEC_CTRL CPUID feature bit is set:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  NO 
* Checking if we're running under Xen PV (64 bits):  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer

targitaj ★★★★★
()
Последнее исправление: targitaj (всего исправлений: 2)

У меня только дырюшка в Spectre Variant 2 Mitigation 2, остальное закрыто...

I-Love-Microsoft ★★★★★
()
Ответ на: комментарий от I-Love-Microsoft

Нет, варианта «я инфант и ламер» нет в списке.

Сочувствую..

djoe ★★★
()
Ответ на: комментарий от Satou

Мя. Подтверждаю. Никто не догадался. Говорю прямо - не верят. Вот такая судьба...

targitaj ★★★★★
()

Уязвима к Spectre Variant 1
Уязвима к Spectre Variant 2
Не уязвима к Meltdown

Linux 4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 CPU is Intel(R) Celeron(R) CPU E3500 @ 2.70GHz

Deleted
()

your CPU vendor reported your CPU model as not vulnerable
CPU is AMD Ryzen 5 1500X Quad-Core Processor

Такие дела.

karton1 ★★★★★
()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.