Support for MX and antiX Linux distros
http://www.forum.mxlinux.org/
Code: Select all
sudo apt-get install spectre-meltdown-checker
sudo spectre-meltdown-checker
Code: Select all
$ sudo spectre-meltdown-checker
Spectre and Meltdown mitigation detection tool v0.34
Checking for vulnerabilities on current system
Kernel is Linux 4.15.3-antix.1-amd64-smp #2 SMP PREEMPT Tue Feb 13 16:49:07 EET 2018 x86_64
CPU is Intel(R) Core(TM) i3-6100U CPU @ 2.30GHz
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: NO
* CPU indicates IBRS capability: NO
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: NO
* CPU indicates IBPB capability: NO
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: NO
* CPU indicates STIBP capability: NO
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU microcode is known to cause stability problems: NO (model 78 stepping 3 ucode 0xba)
* CPU vulnerability to the three speculative execution attacks variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec: YES (1 occurence(s) found of 64 bits array_index_mask_nospec())
> STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable)
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: NO
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: NO (kernel reports minimal retpoline compilation)
* Retpoline enabled: NO
> STATUS: VULNERABLE (Vulnerable: Minimal generic ASM retpoline)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)
A false sense of security is worse than no security at all, see --disclaimer
$ sudo dpkg --get-selections | grep linux-image
[sudo] password for gerson:
linux-image-4.14.0-3-amd64 install
linux-image-4.15.0-5.1-liquorix-amd64 install
linux-image-4.15.3-antix.1-amd64-smp install
Code: Select all
Spectre and Meltdown mitigation detection tool v0.40
Checking for vulnerabilities on current system
Kernel is Linux 4.19.2 #1 SMP PREEMPT Wed Nov 14 13:59:19 +08 2018 x86_64
CPU is Pentium(R) Dual-Core CPU E5400 @ 2.70GHz.......
SUMMARY:
CVE-2017-5753:OK
CVE-2017-5715:OK
CVE-2017-5754:OK
CVE-2018-3640:KO
CVE-2018-3639:KO
CVE-2018-3615:OK
CVE-2018-3620:OK
CVE-2018-3646:OK
Code: Select all
Spectre and Meltdown mitigation detection tool v0.40
Checking for vulnerabilities on current system
Kernel is Linux 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64
CPU is Intel(R) Core(TM) i5-2430M CPU @ 2.40GHz
SUMMARY:
CVE-2017-5753:OK
CVE-2017-5715:OK
CVE-2017-5754:OK
CVE-2018-3640:OK
CVE-2018-3639:OK
CVE-2018-3615:OK
CVE-2018-3620:OK
CVE-2018-3646:OKCode: Select all
sudo spectre-meltdown-checker
Spectre and Meltdown mitigation detection tool v0.40
Checking for vulnerabilities on current system
Kernel is Linux 4.18.0-18.1-liquorix-amd64 #1 ZEN SMP PREEMPT liquorix 4.18-22~mx17+1 (2018-11-13) x86_64
CPU is Intel(R) Core(TM) i3-6100U CPU @ 2.30GHz
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: YES
* CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: YES
* CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: YES
* CPU indicates STIBP capability: YES (Intel STIBP feature bit)
* Speculative Store Bypass Disable (SSBD)
* CPU indicates SSBD capability: YES (Intel SSBD)
* L1 data cache invalidation
* FLUSH_CMD MSR is available: YES
* CPU indicates L1D flush capability: YES (L1D flush feature bit)
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
* CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO
* Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
* CPU supports Software Guard Extensions (SGX): YES
* CPU microcode is known to cause stability problems: NO (model 0x4e family 0x6 stepping 0x3 ucode 0xc6 cpuid 0x406e3)
* CPU microcode is the latest known available version: YES (latest version is 0xc6 dated 2018/04/17 according to builtin MCExtractor DB v84 - 2018/09/27)
* CPU vulnerability to the speculative execution attack variants
* Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
* Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
* Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES
* Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES
* Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES
* Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): YES
* Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
* Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
* Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization)
* Kernel has array_index_mask_nospec: UNKNOWN (couldn't check (missing 'lzop' tool, please install it, usually it's in the 'lzop' package))
* Kernel has the Red Hat/Ubuntu patch: UNKNOWN (couldn't check (missing 'lzop' tool, please install it, usually it's in the 'lzop' package))
* Kernel has mask_nospec64 (arm64): UNKNOWN (couldn't check (missing 'lzop' tool, please install it, usually it's in the 'lzop' package))
* Checking count of LFENCE instructions following a jump in kernel... UNKNOWN (couldn't check (missing 'lzop' tool, please install it, usually it's in the 'lzop' package))
> STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)
CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB, IBRS_FW, STIBP)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: YES (for kernel and firmware code)
* Kernel is compiled with IBPB support: YES
* IBPB enabled and active: YES
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
* Kernel supports RSB filling: UNKNOWN (kernel image missing)
> STATUS: NOT VULNERABLE (IBRS + IBPB are mitigating the vulnerability)
CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
* Mitigated according to the /sys interface: YES (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)
CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability: YES
> STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)
CVE-2018-3639 aka 'Variant 4, speculative store bypass'
* Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
* Kernel supports speculation store bypass: YES (found in /proc/self/status)
> STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability: YES
> STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)
CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
* Mitigated according to the /sys interface: YES (Mitigation: PTE Inversion)
* Kernel supports PTE inversion: strings: '': No hay tal fichero
NO
* PTE inversion enabled and active: YES
> STATUS: NOT VULNERABLE (Mitigation: PTE Inversion)
CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: VMX: conditional cache flushes, SMT vulnerable
* This system is a host running an hypervisor: NO
* Mitigation 1 (KVM)
* EPT is disabled: NO
* Mitigation 2
* L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)
* L1D flush enabled: YES (conditional flushes)
* Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)
* Hyper-Threading (SMT) is enabled: YES
> STATUS: NOT VULNERABLE (this system is not running an hypervisor)
> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK
Need more detailed information about mitigation options? Use --explain
A false sense of security is worse than no security at all, see --disclaimer
make it simple, use code.Gerson wrote: Tue Nov 20, 2018 5:46 am Today I ran the command:
$ sudo spectre-meltdown-checker
And this is the result but I do not understand anything:
........
Yes, just look at the lines that begin with "STATUS". You don't have any vunerabilites that it currently checks.stsoh wrote: Tue Nov 20, 2018 6:13 ammake it simple, use code.Gerson wrote: Tue Nov 20, 2018 5:46 am Today I ran the command:
$ sudo spectre-meltdown-checker
And this is the result but I do not understand anything:
........
delete text in-btween hardware check to summary (bottom last few line) and last couple text lines.
look at the example above then u can see vulnerabilities clearly.
2.4.1
Feature: add support for the 4 MDS CVEs (CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, CVE-2019-11091 / Fallout, RIDL, ZombieLoad)
Feature: add Spectre and Meltdown mitigation detection for Hygon CPU (#271)
Feature: for SSBD, report whether the mitigation is active (in live mode) (#210)
Enhancement: better Xen and hypervisors detection (#259) (#270)
Enhancement: in paranoid mode, assume we're running a hypervisor (for L1TF) unless stated otherwise
Enhancement: better detect Arch kernel image location (#268)
Fix: error when no process used prctl to set SSB mitigation
Fix: invalid names in json batch mode (#279)
Fix: IBRS kernel reported active even if sysfs had "IBRS_FW" only (#275) (#276)
Fix: load vmm under BSD if not already loaded (#274)
Fix: misdetection of files under Clear Linux (#264)
Misc: update MCEdb to v110
Misc: dozens of other fixes and enhancements
2.4.2
Feature: add FreeBSD MDS mitigation detection
Feature: add mocking functionality to help debugging, dump data to mock the behavior of your CPU with --dump-mock-data
Fix: AMD, ARM and CAVIUM are not vulnerable to MDS
Fix: RDCL_NO bit wasn't taking precedence for L1TF check on some newer Intel CPUs
Fix: The MDS_NO bit on newer Intel CPUs is now recognized and used
Fix: remove libvirtd from hypervisor detection to avoid false positives (#278)
Fix: under BSD, the data returned when reading MSR was incorrectly formatted
Misc: update builtin MCEdb from v110 to v111
Code: Select all
SUMMARY: CVE-2017-5753:OK CVE-2017-5715:KO CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK
Run the command including --explain as inSUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:KO CVE-2018-3639:KO CVE-2018-3615:KO CVE-2018-3620:KO CVE-2018-3646:OK CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO
Code: Select all
spectre-meltdown-checker --explainGo back up in the output to the full section for that CVE and see why it's a problem. You can see by the date that it's one of the original Spectre variants. I'm OK with that one, here's that section that I get:Gerson wrote: Tue Jun 04, 2019 6:19 am Good morning, I just installed and checked on my computer and the following appears:CVE 2017-5715 KO What I can do? Use kernel 5.0.20 liquorix and I have installation of MX zeros 18.3Code: Select all
SUMMARY: CVE-2017-5753:OK CVE-2017-5715:KO CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK
Code: Select all
CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, RSB filling)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: YES (for firmware code only)
* Kernel is compiled with IBPB support: YES
* IBPB enabled and active: YES
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
* Kernel supports RSB filling: YES
> STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)
Code: Select all
CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, RSB filling)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: YES (for firmware code only)
* Kernel is compiled with IBPB support: YES
* IBPB enabled and active: YES
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
* Kernel supports RSB filling: UNKNOWN (kernel image missing)
> STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB+RSB filling, is needed to mitigate the vulnerability)
Code: Select all
* Kernel supports RSB filling: UNKNOWN (kernel image missing)Code: Select all
Linux mx 5.1.0-6.1-liquorix-amd64 #1 ZEN SMP PREEMPT liquorix 5.1-1~mx17+1 (2019-06-01) x86_64 GNU/Linux
Code: Select all
SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OKCode: Select all
CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: YES (for firmware code only)
* Kernel is compiled with IBPB support: YES
* IBPB enabled and active: YES
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
* Kernel supports RSB filling: YES
> STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)
Code: Select all
CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
* Kernel supports using MD_CLEAR mitigation: NO
> STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability)
CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
* Kernel supports using MD_CLEAR mitigation: NO
> STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability)
CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
* Kernel supports using MD_CLEAR mitigation: NO
> STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability)
CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
* Kernel supports using MD_CLEAR mitigation: NO
> STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it tCode: Select all
sudo spectre-meltdown-checker
Spectre and Meltdown mitigation detection tool v0.42
Checking for vulnerabilities on current system
Kernel is Linux 4.19.0-2-amd64 #1 SMP Debian 4.19.16-1~mx17+1 (2019-01-19) x86_64
CPU is Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: YES
* CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: YES
* CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: YES
* CPU indicates STIBP capability: YES (Intel STIBP feature bit)
* Speculative Store Bypass Disable (SSBD)
* CPU indicates SSBD capability: YES (Intel SSBD)
* L1 data cache invalidation
* FLUSH_CMD MSR is available: YES
* CPU indicates L1D flush capability: YES (L1D flush feature bit)
* Microarchitecture Data Sampling
* VERW instruction is available: YES (MD_CLEAR feature bit)
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): NO
* CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
* CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO
* Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
* CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO
* CPU supports Software Guard Extensions (SGX): YES
* CPU microcode is known to cause stability problems: NO (model 0x8e family 0x6 stepping 0xa ucode 0xb4 cpuid 0x806ea)
* CPU microcode is the latest known available version: YES (latest version is 0xb4 dated 2019/04/01 according to builtin MCExtractor DB v111 - 2019/05/18)
* CPU vulnerability to the speculative execution attack variants
* Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
* Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
* Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES
* Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES
* Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES
* Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): YES
* Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
* Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
* Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES
* Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES
* Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES
* Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES
CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
* Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization)
* Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch: NO
* Kernel has mask_nospec64 (arm64): NO
> STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)
CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: YES (for firmware code only)
* Kernel is compiled with IBPB support: YES
* IBPB enabled and active: YES
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
* Kernel supports RSB filling: YES
> STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)
CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
* Mitigated according to the /sys interface: YES (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)
CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability: YES
> STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)
CVE-2018-3639 aka 'Variant 4, speculative store bypass'
* Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
* Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
* SSB mitigation is enabled and active: YES (per-thread through prctl)
* SSB mitigation currently active for selected processes: YES (audacious chromium)
> STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability: YES
> STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)
CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
* Mitigated according to the /sys interface: YES (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable)
* Kernel supports PTE inversion: YES (found in kernel image)
* PTE inversion enabled and active: YES
> STATUS: NOT VULNERABLE (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable)
CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
* This system is a host running a hypervisor: NO
* Mitigation 1 (KVM)
* EPT is disabled: NO
* Mitigation 2
* L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)
* L1D flush enabled: YES (conditional flushes)
* Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)
* Hyper-Threading (SMT) is enabled: YES
> STATUS: NOT VULNERABLE (this system is not running a hypervisor)
CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
* Kernel supports using MD_CLEAR mitigation: NO
> STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability)
CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
* Kernel supports using MD_CLEAR mitigation: NO
> STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability)
CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
* Kernel supports using MD_CLEAR mitigation: NO
> STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability)
CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
* Kernel supports using MD_CLEAR mitigation: NO
> STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability)
> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO
Do what it recommends! Philotux is also running a 4.19.0-2 kernel that needs updating.MAYBL8 wrote: Thu Jun 06, 2019 7:15 am Mine says this after running the checker:
What do I need to do?Code: Select all
CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)' * Kernel supports using MD_CLEAR mitigation: NO > STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability) CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)' * Kernel supports using MD_CLEAR mitigation: NO > STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability) CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)' * Kernel supports using MD_CLEAR mitigation: NO > STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability) CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)' * Kernel supports using MD_CLEAR mitigation: NO > STATUS: VULNERABLE (Your microcode supports mitigation, but your kernel doesn't, upgrade it t
If "uname -a" shows kernel version 4.19.0-1 (4.19.5) or earlier, use MX Package Installer to reinstall or install the 4.19 kernel, which will update to the current 4.19.0-5 (4.19.37) MX kernel. The other options are newer antiX or Liquorix kernels, but if you're using broadcom-sta or Nvidia drivers, you probably need to update those from the test repo first.Your microcode supports mitigation, but your kernel doesn't, upgrade it to mitigate the vulnerability
Great! Thank you so much Stevo. Following your advice on updating the kernel, all is green here:Stevo wrote: Thu Jun 06, 2019 2:49 pm If "uname -a" shows kernel version 4.19.0-1 (4.19.5) or earlier, use MX Package Installer to reinstall or install the 4.19 kernel, which will update to the current 4.19.0-5 (4.19.37) MX kernel.
Code: Select all
SUMMARY:
CVE-2017-5753:OK
CVE-2017-5715:OK
CVE-2017-5754:OK
CVE-2018-3640:OK
CVE-2018-3639:OK
CVE-2018-3615:OK
CVE-2018-3620:OK
CVE-2018-3646:OK
CVE-2018-12126:OK
CVE-2018-12130:OK
CVE-2018-12127:OK
CVE-2019-11091:OKCode: Select all
System: Host: mx17mainlt Kernel: 5.1.0-6.1-liquorix-amd64 x86_64 bits: 64
Desktop: Xfce 4.12.3 Distro: MX-18.3_x64 Continuum March 14 2018 SUMMARY: CVE-2017-5753:OK
CVE-2017-5715:KO
CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK
Code: Select all
Linux mx 5.1.0-6.1-liquorix-amd64 #1 ZEN SMP PREEMPT liquorix 5.1-1~mx17+1 (2019-06-01) x86_64 GNU/Linux
SUMMARY: CVE-2017-5753:OK CVE-2017-5715:KO CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK