On #Elrepo IRC at the moment, interesting to see my CPU + latest intel microcode download + latest elrepo kernel-ml is significantly more at-risk still:
~ [0] # uname -a Linux nas 4.14.12-1.el7.elrepo.x86_64 #1 SMP Fri Jan 5 13:28:56 EST 2018 x86_64 x86_64 x86_64 GNU/Linux ~ [0] # dmesg | grep -i micro [ 0.000000] microcode: microcode updated early to revision 0x23, date = 2017-11-20 [ 0.494508] microcode: sig=0x306c3, pf=0x2, revision=0x23 [ 0.494918] microcode: Microcode Update Driver: v2.2. ~ [0] # ./spectre-meltdown-checker.sh Spectre and Meltdown mitigation detection tool v0.24 Checking for vulnerabilities against live running kernel Linux 4.14.12-1.el7.elrepo.x86_64 #1 SMP Fri Jan 5 13:28:56 EST 2018 x86_64 CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' * Checking count of LFENCE opcodes in kernel: NO (only 37 opcodes found, should be >= 70) > STATUS: VULNERABLE (heuristic to be improved when official patches become > available) CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' * Mitigation 1 * Hardware (CPU microcode) support for mitigation: YES * Kernel support for IBRS: NO * IBRS enabled for Kernel space: NO * IBRS enabled for User space: NO * Mitigation 2 * Kernel compiled with retpoline option: NO * Kernel compiled with a retpoline-aware compiler: NO > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline > are needed to mitigate the vulnerability) CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3' * Kernel supports Page Table Isolation (PTI): YES * PTI enabled and active: YES > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability) A false sense of security is worse than no security at all, see --disclaimer -- Sam McLeod https://smcleod.net https://twitter.com/s_mcleod > On 11 Jan 2018, at 7:36 am, Phil Perry <p...@elrepo.org> wrote: > > On 10/01/18 20:06, Phil Perry wrote: >> A vulnerability checker script: >> https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/master/spectre-meltdown-checker.sh >> > > On a fully updated RHEL7 system (kernel-3.10.0-693.11.6.el7.x86_64), and > after applying the latest microcode update for my CPU from Intel: > > # ./spectre-meltdown-checker.sh > Spectre and Meltdown mitigation detection tool v0.24 > > Checking for vulnerabilities against live running kernel Linux > 3.10.0-693.11.6.el7.x86_64 #1 SMP Thu Dec 28 14:23:39 EST 2017 x86_64 > > CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1' > * Checking count of LFENCE opcodes in kernel: YES (112 opcodes found, which > is >= 70) > > STATUS: NOT VULNERABLE (heuristic to be improved when official patches > > become available) > > CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2' > * Mitigation 1 > * Hardware (CPU microcode) support for mitigation: YES > * Kernel support for IBRS: YES > * IBRS enabled for Kernel space: YES > * IBRS enabled for User space: NO > * Mitigation 2 > * Kernel compiled with retpoline option: NO > * Kernel compiled with a retpoline-aware compiler: NO > > STATUS: NOT VULNERABLE (IBRS mitigates the vulnerability) > > CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3' > * Kernel supports Page Table Isolation (PTI): YES > * PTI enabled and active: YES > > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability) > > A false sense of security is worse than no security at all, see --disclaimer > > > Before the microcode update, it was showing as vulnerable to CVE-2017-5715 > [branch target injection] aka 'Spectre Variant 2' > > > _______________________________________________ > elrepo mailing list > elrepo@lists.elrepo.org > http://lists.elrepo.org/mailman/listinfo/elrepo
_______________________________________________ elrepo mailing list elrepo@lists.elrepo.org http://lists.elrepo.org/mailman/listinfo/elrepo