Page 2 of 3
Re: MX 17 Repository: The Spectre-Meltdown-Checker Thread
Posted: Mon Jun 03, 2019 5:48 pm
by Stevo
Updated to 2.4.2 in the main repos for MX 15-18. This looks for the latest Zombieload and other vulnerabilities:
2.4.1
Feature: add support for the 4 MDS CVEs (CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, CVE-2019-11091 / Fallout, RIDL, ZombieLoad)
Feature: add Spectre and Meltdown mitigation detection for Hygon CPU (#271)
Feature: for SSBD, report whether the mitigation is active (in live mode) (#210)
Enhancement: better Xen and hypervisors detection (#259) (#270)
Enhancement: in paranoid mode, assume we're running a hypervisor (for L1TF) unless stated otherwise
Enhancement: better detect Arch kernel image location (#268)
Fix: error when no process used prctl to set SSB mitigation
Fix: invalid names in json batch mode (#279)
Fix: IBRS kernel reported active even if sysfs had "IBRS_FW" only (#275) (#276)
Fix: load vmm under BSD if not already loaded (#274)
Fix: misdetection of files under Clear Linux (#264)
Misc: update MCEdb to v110
Misc: dozens of other fixes and enhancements
2.4.2
Feature: add FreeBSD MDS mitigation detection
Feature: add mocking functionality to help debugging, dump data to mock the behavior of your CPU with --dump-mock-data
Fix: AMD, ARM and CAVIUM are not vulnerable to MDS
Fix: RDCL_NO bit wasn't taking precedence for L1TF check on some newer Intel CPUs
Fix: The MDS_NO bit on newer Intel CPUs is now recognized and used
Fix: remove libvirtd from hypervisor detection to avoid false positives (#278)
Fix: under BSD, the data returned when reading MSR was incorrectly formatted
Misc: update builtin MCEdb from v110 to v111
Re: MX 17/18 Repository: The Spectre-Meltdown-Checker Thread
Posted: Tue Jun 04, 2019 6:19 am
by Gerson
Good morning, I just installed and checked on my computer and the following appears:
Code: Select all
SUMMARY: CVE-2017-5753:OK CVE-2017-5715:KO CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK
What I can do? Use kernel 5.0.20 liquorix and I have installation of MX zeros 18.3
Re: MX 17/18 Repository: The Spectre-Meltdown-Checker Thread
Posted: Tue Jun 04, 2019 9:09 am
by mmikeinsantarosa
Gerson, You are in much better shape than I at the moment. I am running the 4.15.0-1 because that is the latest kernel that allows my mobile broadband card to work when I am camping. With this kernel the command returns:
SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:KO CVE-2018-3639:KO CVE-2018-3615:KO CVE-2018-3620:KO CVE-2018-3646:OK CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO
Run the command including --explain as in
Code: Select all
spectre-meltdown-checker --explain
to see if that gives you any more information.
also, check this
thread. anti just made available some new antix kernels that might help.
- mike
Re: MX 17/18 Repository: The Spectre-Meltdown-Checker Thread
Posted: Tue Jun 04, 2019 4:15 pm
by Stevo
Gerson wrote: Tue Jun 04, 2019 6:19 am
Good morning, I just installed and checked on my computer and the following appears:
Code: Select all
SUMMARY: CVE-2017-5753:OK CVE-2017-5715:KO CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK
What I can do? Use kernel 5.0.20 liquorix and I have installation of MX zeros 18.3
Go back up in the output to the full section for that CVE and see why it's a problem. You can see by the date that it's one of the original Spectre variants. I'm OK with that one, here's that section that I get:
Code: Select all
CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, RSB filling)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: YES (for firmware code only)
* Kernel is compiled with IBPB support: YES
* IBPB enabled and active: YES
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
* Kernel supports RSB filling: YES
> STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)
Re: MX 17/18 Repository: The Spectre-Meltdown-Checker Thread
Posted: Wed Jun 05, 2019 7:33 am
by Gerson
@Stevo; here's that section that I get:
Code: Select all
CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, RSB filling)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: YES (for firmware code only)
* Kernel is compiled with IBPB support: YES
* IBPB enabled and active: YES
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
* Kernel supports RSB filling: UNKNOWN (kernel image missing)
> STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RSB filling, is needed to mitigate the vulnerability)
@Stevo
Re: MX 17/18 Repository: The Spectre-Meltdown-Checker Thread
Posted: Wed Jun 05, 2019 3:30 pm
by Stevo
This is the only difference in the output, and I don't know why it says your kernel image is missing. I'm using the 5.1 Liquorix kernel at the moment, so this begs the question as to what you have (uname -a) and if you get the same output with a different kernel.
Code: Select all
* Kernel supports RSB filling: UNKNOWN (kernel image missing)
Re: MX 17/18 Repository: The Spectre-Meltdown-Checker Thread
Posted: Thu Jun 06, 2019 6:48 am
by Gerson
Actual:
$ uname -a
Code: Select all
Linux mx 5.1.0-6.1-liquorix-amd64 #1 ZEN SMP PREEMPT liquorix 5.1-1~mx17+1 (2019-06-01) x86_64 GNU/Linux
With another kernel (4.19.0-5-amd64 #1 SMP Debian 4.19.37-2~mx17+1) the output:
$ sudo spectre-meltdown-checker
Code: Select all
SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK
There are no vulnerabilities.
Code: Select all
CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: YES (for firmware code only)
* Kernel is compiled with IBPB support: YES
* IBPB enabled and active: YES
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
* Kernel supports RSB filling: YES
> STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)
Re: MX 17/18 Repository: The Spectre-Meltdown-Checker Thread
Posted: Thu Jun 06, 2019 7:15 am
by MAYBL8
Mine says this after running the checker:
What do I need to do?
Code: Select all
CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
* Kernel supports using MD_CLEAR mitigation: NO
> STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability)
CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
* Kernel supports using MD_CLEAR mitigation: NO
> STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability)
CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
* Kernel supports using MD_CLEAR mitigation: NO
> STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability)
CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
* Kernel supports using MD_CLEAR mitigation: NO
> STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it t
Re: MX 17/18 Repository: The Spectre-Meltdown-Checker Thread
Posted: Thu Jun 06, 2019 7:33 am
by philotux
There seem to be some vulnerabilities still present in my system. The following is the output of spectre-meltdown-checker:
Code: Select all
sudo spectre-meltdown-checker
Spectre and Meltdown mitigation detection tool v0.42
Checking for vulnerabilities on current system
Kernel is Linux 4.19.0-2-amd64 #1 SMP Debian 4.19.16-1~mx17+1 (2019-01-19) x86_64
CPU is Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: YES
* CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: YES
* CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: YES
* CPU indicates STIBP capability: YES (Intel STIBP feature bit)
* Speculative Store Bypass Disable (SSBD)
* CPU indicates SSBD capability: YES (Intel SSBD)
* L1 data cache invalidation
* FLUSH_CMD MSR is available: YES
* CPU indicates L1D flush capability: YES (L1D flush feature bit)
* Microarchitecture Data Sampling
* VERW instruction is available: YES (MD_CLEAR feature bit)
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): NO
* CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
* CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO
* Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
* CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO
* CPU supports Software Guard Extensions (SGX): YES
* CPU microcode is known to cause stability problems: NO (model 0x8e family 0x6 stepping 0xa ucode 0xb4 cpuid 0x806ea)
* CPU microcode is the latest known available version: YES (latest version is 0xb4 dated 2019/04/01 according to builtin MCExtractor DB v111 - 2019/05/18)
* CPU vulnerability to the speculative execution attack variants
* Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
* Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
* Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES
* Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES
* Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES
* Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): YES
* Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
* Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
* Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES
* Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES
* Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES
* Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES
CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
* Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization)
* Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch: NO
* Kernel has mask_nospec64 (arm64): NO
> STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)
CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: YES (for firmware code only)
* Kernel is compiled with IBPB support: YES
* IBPB enabled and active: YES
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
* Kernel supports RSB filling: YES
> STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)
CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
* Mitigated according to the /sys interface: YES (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)
CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability: YES
> STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)
CVE-2018-3639 aka 'Variant 4, speculative store bypass'
* Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
* Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
* SSB mitigation is enabled and active: YES (per-thread through prctl)
* SSB mitigation currently active for selected processes: YES (audacious chromium)
> STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability: YES
> STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)
CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
* Mitigated according to the /sys interface: YES (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable)
* Kernel supports PTE inversion: YES (found in kernel image)
* PTE inversion enabled and active: YES
> STATUS: NOT VULNERABLE (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable)
CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
* This system is a host running a hypervisor: NO
* Mitigation 1 (KVM)
* EPT is disabled: NO
* Mitigation 2
* L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)
* L1D flush enabled: YES (conditional flushes)
* Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)
* Hyper-Threading (SMT) is enabled: YES
> STATUS: NOT VULNERABLE (this system is not running a hypervisor)
CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
* Kernel supports using MD_CLEAR mitigation: NO
> STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability)
CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
* Kernel supports using MD_CLEAR mitigation: NO
> STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability)
CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
* Kernel supports using MD_CLEAR mitigation: NO
> STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability)
CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
* Kernel supports using MD_CLEAR mitigation: NO
> STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability)
> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO
Please advice if there is anything I can do to mitigate these vulnerabilities.
Re: MX 17/18 Repository: The Spectre-Meltdown-Checker Thread
Posted: Thu Jun 06, 2019 2:49 pm
by Stevo
MAYBL8 wrote: Thu Jun 06, 2019 7:15 am
Mine says this after running the checker:
What do I need to do?
Code: Select all
CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
* Kernel supports using MD_CLEAR mitigation: NO
> STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability)
CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
* Kernel supports using MD_CLEAR mitigation: NO
> STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability)
CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
* Kernel supports using MD_CLEAR mitigation: NO
> STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability)
CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
* Kernel supports using MD_CLEAR mitigation: NO
> STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it t
Do what it recommends! Philotux is also running a 4.19.0-2 kernel that needs updating.
Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability
If "uname -a" shows kernel version 4.19.0-1 (4.19.5) or earlier, use MX Package Installer to reinstall or install the 4.19 kernel, which will update to the current 4.19.0-5 (4.19.37) MX kernel. The other options are newer antiX or Liquorix kernels, but if you're using broadcom-sta or Nvidia drivers, you probably need to update those from the test repo first.
Gerson, are you still getting the problem with the 5.1 Liquorix kernel?