1 Spectre and Meltdown Checks
2 ^^^^^^^^^^^^^^^^^^^^^^^^^^^
4 Following section displays the output of a running shell script to tell if
5 system is vulnerable against the several "speculative execution" CVEs that were
6 made public in 2018. Script is available on `Spectre & Meltdown Checker Github
7 <https://github.com/speed47/spectre-meltdown-checker>`_.
11 Spectre and Meltdown mitigation detection tool v0.42
12 Checking for vulnerabilities on current system
13 Kernel is Linux 4.15.0-51-generic #55-Ubuntu SMP Wed May 15 14:27:21 UTC 2019 x86_64
14 CPU is Intel(R) Atom(TM) CPU C3858 @ 2.00GHz
17 * Hardware support (CPU microcode) for mitigation techniques
18 * Indirect Branch Restricted Speculation (IBRS)
19 * SPEC_CTRL MSR is available: YES
20 * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
21 * Indirect Branch Prediction Barrier (IBPB)
22 * PRED_CMD MSR is available: YES
23 * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
24 * Single Thread Indirect Branch Predictors (STIBP)
25 * SPEC_CTRL MSR is available: YES
26 * CPU indicates STIBP capability: YES (Intel STIBP feature bit)
27 * Speculative Store Bypass Disable (SSBD)
28 * CPU indicates SSBD capability: YES (Intel SSBD)
29 * L1 data cache invalidation
30 * FLUSH_CMD MSR is available: NO
31 * CPU indicates L1D flush capability: NO
32 * Microarchitecture Data Sampling
33 * VERW instruction is available: YES (MD_CLEAR feature bit)
34 * Enhanced IBRS (IBRS_ALL)
35 * CPU indicates ARCH_CAPABILITIES MSR availability: YES
36 * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
37 * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): YES
38 * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
39 * CPU/Hypervisor indicates L1D flushing is not necessary on this system: YES
40 * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
41 * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): YES
42 * CPU supports Software Guard Extensions (SGX): NO
43 * CPU microcode is known to cause stability problems: NO (model 0x5f family 0x6 stepping 0x1 ucode 0x2e cpuid 0x506f1)
44 * CPU microcode is the latest known available version: awk: fatal: cannot open file `bash for reading (No such file or directory)
45 UNKNOWN (latest microcode version for your CPU model is unknown)
46 * CPU vulnerability to the speculative execution attack variants
47 * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
48 * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
49 * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO
50 * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES
51 * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES
52 * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
53 * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO
54 * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO
55 * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): NO
56 * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): NO
57 * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): NO
58 * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): NO
60 CVE-2017-5753 aka Spectre Variant 1, bounds check bypass
61 * Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization)
62 * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
63 * Kernel has the Red Hat/Ubuntu patch: NO
64 * Kernel has mask_nospec64 (arm64): NO
65 > STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)
67 CVE-2017-5715 aka Spectre Variant 2, branch target injection
68 * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling)
70 * Kernel is compiled with IBRS support: YES
71 * IBRS enabled and active: YES (for firmware code only)
72 * Kernel is compiled with IBPB support: YES
73 * IBPB enabled and active: YES
75 * Kernel has branch predictor hardening (arm): NO
76 * Kernel compiled with retpoline option: YES
77 * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
78 > STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)
80 CVE-2017-5754 aka Variant 3, Meltdown, rogue data cache load
81 * Mitigated according to the /sys interface: YES (Not affected)
82 * Kernel supports Page Table Isolation (PTI): YES
83 * PTI enabled and active: UNKNOWN (dmesg truncated, please reboot and relaunch this script)
84 * Reduced performance impact of PTI: NO (PCID/INVPCID not supported, performance impact of PTI will be significant)
85 * Running as a Xen PV DomU: NO
86 > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
88 CVE-2018-3640 aka Variant 3a, rogue system register read
89 * CPU microcode mitigates the vulnerability: YES
90 > STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)
92 CVE-2018-3639 aka Variant 4, speculative store bypass
93 * Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
94 * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
95 * SSB mitigation is enabled and active: YES (per-thread through prctl)
96 * SSB mitigation currently active for selected processes: YES (systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd)
97 > STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
99 CVE-2018-3615 aka Foreshadow (SGX), L1 terminal fault
100 * CPU microcode mitigates the vulnerability: N/A
101 > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
103 CVE-2018-3620 aka Foreshadow-NG (OS), L1 terminal fault
104 * Mitigated according to the /sys interface: YES (Not affected)
105 * Kernel supports PTE inversion: YES (found in kernel image)
106 * PTE inversion enabled and active: NO
107 > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
109 CVE-2018-3646 aka Foreshadow-NG (VMM), L1 terminal fault
110 * Information from the /sys interface: Not affected
111 * This system is a host running a hypervisor: NO
113 * EPT is disabled: NO
115 * L1D flush is supported by kernel: YES (found flush_l1d in kernel image)
116 * L1D flush enabled: NO
117 * Hardware-backed L1D flush supported: NO (flush will be done in software, this is slower)
118 * Hyper-Threading (SMT) is enabled: NO
119 > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
121 CVE-2018-12126 aka Fallout, microarchitectural store buffer data sampling (MSBDS)
122 * Mitigated according to the /sys interface: YES (Not affected)
123 * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
124 * Kernel mitigation is enabled and active: NO
125 * SMT is either mitigated or disabled: NO
126 > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
128 CVE-2018-12130 aka ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)
129 * Mitigated according to the /sys interface: YES (Not affected)
130 * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
131 * Kernel mitigation is enabled and active: NO
132 * SMT is either mitigated or disabled: NO
133 > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
135 CVE-2018-12127 aka RIDL, microarchitectural load port data sampling (MLPDS)
136 * Mitigated according to the /sys interface: YES (Not affected)
137 * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
138 * Kernel mitigation is enabled and active: NO
139 * SMT is either mitigated or disabled: NO
140 > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
142 CVE-2019-11091 aka RIDL, microarchitectural data sampling uncacheable memory (MDSUM)
143 * Mitigated according to the /sys interface: YES (Not affected)
144 * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
145 * Kernel mitigation is enabled and active: NO
146 * SMT is either mitigated or disabled: NO
147 > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
149 > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK