You are not logged in.
bugs.debian.org:
https://security-tracker.debian.org/tra … -2017-5753
https://security-tracker.debian.org/tra … -2017-5715
https://security-tracker.debian.org/tra … -2017-5754
The kernel developers have provided a handy user space indicator for the vulnerability of any given system against the three above linked exploits.
Simply run this command to list them:
grep -r . /sys/devices/system/cpu/vulnerabilities
Output from my Alpine Linux system:
alpine:~$ grep -r . /sys/devices/system/cpu/vulnerabilities
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Vulnerable: Minimal generic ASM retpoline
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Vulnerable
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
alpine:~$
Is Debian using full retpoline? I will have to check later...
Offline
I read somewhere that Intels Atom chips are not effected, so for the time being im good.
Also that there are no known exploits curently being used that target these vulnerabilities.
What I dont understand is that Intel and AMD have known about these for some time, so why now are these vulnerabilities being brought to the publics attention?
Offline
Intel and AMD have known about these for some time, so why now are these vulnerabilities being brought to the publics attention?
Because the fixes for the open source operating systems (Linux in particular) are committed in public and cannot be hidden.
There was an agreed embargo with developers signing a non-disclosure agreement but it was rumbled when the open source community studied the actual commits...
Offline
Could somebody please tell in plain human language what this is doing: https://github.com/idea4good/spectre
"we will dump user data without reading it" - what's this supposed to mean? There is also: "you could dump IE browser data"
Offline
cat /etc/issue.net && uname -r && grep -r . /sys/devices/system/cpu/vulnerabilities
Debian GNU/Linux 9
4.9.0-6-amd64
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
Offline
Spectre-meltdown-checker script backported to the MX 15 Jessie base: http://mxrepo.com/mx/repo/pool/main/s/s … n-checker/ I guess Debian didn't feel the need to do a Jessie backport themselves.
After installation, run "spectre-meltdown-checker" in a terminal.
Offline
what this is doing: https://github.com/idea4good/spectre
It's a proof of concept for the exploit 8)
Here's another:
https://github.com/genua/meltdown
EDIT: use at your own risk!
Last edited by Head_on_a_Stick (2018-03-26 21:03:27)
Offline
@stevep
sudo spectre-meltdown-checker | grep "STATUS"
^ Lots of data, should the above be enough?
Offline
@stevep
sudo spectre-meltdown-checker | grep "STATUS"
^ Lots of data, should the above be enough?
That skips the microcode section of the results. A newer intel-microcode is now in jessie-backports-sloppy, as well as in stretch-backports and upstream: https://packages.debian.org/jessie-back … -microcode
But if all you want is to check the kernel, your line of code will give a good summary.
Offline
It's a proof of concept for the exploit 8)
In other words: Code to demonstrate how to exploit the vulnerability? Do I understand it correctly?
Offline
^ Yes, that's right.
Offline
@HoaS I see, thank you for the explanation.
Offline