![[BunsenLabs Logo]](/img/bl.svg)
You are not logged in.
- Topics: Active | Unanswered
#1 2018-02-03 14:06:55
- Head_on_a_Stick
- Member
- From: London
- Registered: 2015-09-29
- Posts: 9,093
- Website
Metdown & Spectre: check your vulnerability
bugs.debian.org:
https://security-tracker.debian.org/tra … -2017-5753
https://security-tracker.debian.org/tra … -2017-5715
https://security-tracker.debian.org/tra … -2017-5754
The kernel developers have provided a handy user space indicator for the vulnerability of any given system against the three above linked exploits.
Simply run this command to list them:
grep -r . /sys/devices/system/cpu/vulnerabilitiesOutput from my Alpine Linux system:
alpine:~$ grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal generic ASM retpoline
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
alpine:~$Is Debian using full retpoline? I will have to check later...
Offline
#2 2018-02-03 16:38:11
- ATG-Fox
- Member
- From: Fareham - UK
- Registered: 2018-01-31
- Posts: 8
- Website
Re: Metdown & Spectre: check your vulnerability
I read somewhere that Intels Atom chips are not effected, so for the time being im good.
Also that there are no known exploits curently being used that target these vulnerabilities.
What I dont understand is that Intel and AMD have known about these for some time, so why now are these vulnerabilities being brought to the publics attention?
Offline
#3 2018-02-03 17:48:41
- Head_on_a_Stick
- Member
- From: London
- Registered: 2015-09-29
- Posts: 9,093
- Website
Re: Metdown & Spectre: check your vulnerability
Intel and AMD have known about these for some time, so why now are these vulnerabilities being brought to the publics attention?
Because the fixes for the open source operating systems (Linux in particular) are committed in public and cannot be hidden.
There was an agreed embargo with developers signing a non-disclosure agreement but it was rumbled when the open source community studied the actual commits...
Offline
#4 2018-03-26 19:59:34
- martix
- Kim Jong-un Stunt Double
- Registered: 2016-02-19
- Posts: 1,267
Re: Metdown & Spectre: check your vulnerability
Could somebody please tell in plain human language what this is doing: https://github.com/idea4good/spectre
"we will dump user data without reading it" - what's this supposed to mean? There is also: "you could dump IE browser data"
Offline
#5 2018-03-26 20:21:03
- brontosaurusrex
- Middle Office
- Registered: 2015-09-29
- Posts: 2,746
Re: Metdown & Spectre: check your vulnerability
cat /etc/issue.net && uname -r && grep -r . /sys/devices/system/cpu/vulnerabilities
Debian GNU/Linux 9
4.9.0-6-amd64
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTIOffline
#6 2018-03-26 20:53:29
- stevep
- MX Linux Developer
- Registered: 2016-08-08
- Posts: 381
Re: Metdown & Spectre: check your vulnerability
Spectre-meltdown-checker script backported to the MX 15 Jessie base: http://mxrepo.com/mx/repo/pool/main/s/s … n-checker/ I guess Debian didn't feel the need to do a Jessie backport themselves.
After installation, run "spectre-meltdown-checker" in a terminal.
Offline
#7 2018-03-26 21:03:11
- Head_on_a_Stick
- Member
- From: London
- Registered: 2015-09-29
- Posts: 9,093
- Website
Re: Metdown & Spectre: check your vulnerability
what this is doing: https://github.com/idea4good/spectre
It's a proof of concept for the exploit 8)
Here's another:
https://github.com/genua/meltdown
EDIT: use at your own risk!
Last edited by Head_on_a_Stick (2018-03-26 21:03:27)
Offline
#8 2018-03-26 21:03:52
- brontosaurusrex
- Middle Office
- Registered: 2015-09-29
- Posts: 2,746
Re: Metdown & Spectre: check your vulnerability
@stevep
sudo spectre-meltdown-checker | grep "STATUS"^ Lots of data, should the above be enough?
Offline
#9 2018-03-27 00:16:53
- stevep
- MX Linux Developer
- Registered: 2016-08-08
- Posts: 381
Re: Metdown & Spectre: check your vulnerability
@stevep
sudo spectre-meltdown-checker | grep "STATUS"^ Lots of data, should the above be enough?
That skips the microcode section of the results. A newer intel-microcode is now in jessie-backports-sloppy, as well as in stretch-backports and upstream: https://packages.debian.org/jessie-back … -microcode
But if all you want is to check the kernel, your line of code will give a good summary.
Offline
#10 2018-03-27 18:39:46
- martix
- Kim Jong-un Stunt Double
- Registered: 2016-02-19
- Posts: 1,267
Re: Metdown & Spectre: check your vulnerability
It's a proof of concept for the exploit 8)
In other words: Code to demonstrate how to exploit the vulnerability? Do I understand it correctly?
Offline
#11 2018-03-27 20:11:42
- Head_on_a_Stick
- Member
- From: London
- Registered: 2015-09-29
- Posts: 9,093
- Website
Re: Metdown & Spectre: check your vulnerability
^ Yes, that's right.
Offline
#12 2018-03-28 08:49:13
- martix
- Kim Jong-un Stunt Double
- Registered: 2016-02-19
- Posts: 1,267
Re: Metdown & Spectre: check your vulnerability
@HoaS I see, thank you for the explanation.
Offline