<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">On #Elrepo IRC at the moment, interesting to see my CPU + latest intel microcode download + latest elrepo kernel-ml is significantly more at-risk still:<div class=""><br class=""></div><div class=""><br class=""></div><div class=""><font face="IBMPlexMono" class="">~ [0] # uname -a<br class="">Linux nas 4.14.12-1.el7.elrepo.x86_64 #1 SMP Fri Jan 5 13:28:56 EST 2018 x86_64 x86_64 x86_64 GNU/Linux</font></div><div class=""><font face="IBMPlexMono" class=""><br class=""></font></div><div class=""><font face="IBMPlexMono" class=""><br class="">~ [0] # dmesg | grep -i micro<br class="">[ 0.000000] microcode: microcode updated early to revision 0x23, date = 2017-11-20<br class="">[ 0.494508] microcode: sig=0x306c3, pf=0x2, revision=0x23<br class="">[ 0.494918] microcode: Microcode Update Driver: v2.2.</font></div><div class=""><font face="IBMPlexMono" class=""><br class="">~ [0] # ./spectre-meltdown-checker.sh<br class="">Spectre and Meltdown mitigation detection tool v0.24<br class=""><br class="">Checking for vulnerabilities against live running kernel Linux 4.14.12-1.el7.elrepo.x86_64 #1 SMP Fri Jan 5 13:28:56 EST 2018 x86_64<br class=""><br class="">CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'<br class="">* Checking count of LFENCE opcodes in kernel: NO (only 37 opcodes found, should be >= 70)<br class="">> STATUS: VULNERABLE (heuristic to be improved when official patches become available)<br class=""><br class="">CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'<br class="">* Mitigation 1<br class="">* Hardware (CPU microcode) support for mitigation: YES<br class="">* Kernel support for IBRS: NO<br class="">* IBRS enabled for Kernel space: NO<br class="">* IBRS enabled for User space: NO<br class="">* Mitigation 2<br class="">* Kernel compiled with retpoline option: NO<br class="">* Kernel compiled with a retpoline-aware compiler: NO<br class="">> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)<br class=""><br class="">CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'<br class="">* Kernel supports Page Table Isolation (PTI): YES<br class="">* PTI enabled and active: YES<br class="">> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)<br class=""><br class="">A false sense of security is worse than no security at all, see --disclaimer</font><br class=""><div class="">
<div dir="auto" style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px;"><br class="">--<br class="">Sam McLeod<br class=""><a href="https://smcleod.net" class="">https://smcleod.net</a><br class="">https://twitter.com/s_mcleod</div></div></div></div>
</div>
<div><br class=""><blockquote type="cite" class=""><div class="">On 11 Jan 2018, at 7:36 am, Phil Perry <<a href="mailto:phil@elrepo.org" class="">phil@elrepo.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">On 10/01/18 20:06, Phil Perry wrote:<br class=""><blockquote type="cite" class="">A vulnerability checker script:<br class=""><a href="https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh" class="">https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh</a> <br class=""></blockquote><br class="">On a fully updated RHEL7 system (kernel-3.10.0-693.11.6.el7.x86_64), and after applying the latest microcode update for my CPU from Intel:<br class=""><br class=""># ./spectre-meltdown-checker.sh<br class="">Spectre and Meltdown mitigation detection tool v0.24<br class=""><br class="">Checking for vulnerabilities against live running kernel Linux 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Dec 28 14:23:39 EST 2017 x86_64<br class=""><br class="">CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'<br class="">* Checking count of LFENCE opcodes in kernel: YES (112 opcodes found, which is >= 70)<br class="">> STATUS: NOT VULNERABLE (heuristic to be improved when official patches become available)<br class=""><br class="">CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'<br class="">* Mitigation 1<br class="">* Hardware (CPU microcode) support for mitigation: YES<br class="">* Kernel support for IBRS: YES<br class="">* IBRS enabled for Kernel space: YES<br class="">* IBRS enabled for User space: NO<br class="">* Mitigation 2<br class="">* Kernel compiled with retpoline option: NO<br class="">* Kernel compiled with a retpoline-aware compiler: NO<br class="">> STATUS: NOT VULNERABLE (IBRS mitigates the vulnerability)<br class=""><br class="">CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'<br class="">* Kernel supports Page Table Isolation (PTI): YES<br class="">* PTI enabled and active: YES<br class="">> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)<br class=""><br class="">A false sense of security is worse than no security at all, see --disclaimer<br class=""><br class=""><br class="">Before the microcode update, it was showing as vulnerable to CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'<br class=""><br class=""><br class="">_______________________________________________<br class="">elrepo mailing list<br class=""><a href="mailto:elrepo@lists.elrepo.org" class="">elrepo@lists.elrepo.org</a><br class="">http://lists.elrepo.org/mailman/listinfo/elrepo<br class=""></div></div></blockquote></div><br class=""></div></body></html>