Check for Spectre, Meltdown, and L1 Terminal Fault Vulnerabilities with Spectre-meltdown-checker Script

Yesterday, we wrote a little bit about the new speculative execution vulnerability known as L1 Terminal Fault (L1TF) or Foreshadow, and a reader – MHSadri – pointed to an interesting script that checks for all three speculative execution vulnerabilities, and runs in Linux and BSD (FreeBSD, NetBSD, DragonFlyBSD)  across multiple architectures: Intel x32, AMD64, Arm and ARM64. Other architectures will also work, but mitigation reporting may not be correct.

So I tried it on my own machine, a computer running Ubuntu 18.04 on an AMD FX8350 processor.

Installation is easy:

The developer recommends to check the script manually first, just for security sake. You can have two way to run it: either directly inside your OS, or via docker which may be a better idea since it would not be able to mess with your system especially I had to run it with sudo to avoid permission issues.

Here’s the full output while running the script in a terminal window in my computer:

So if I read that right my machine implements mitigation for all variant of Spectre and Meltdown, and is not affected by L1 terminal fault as expected for an AMD processor.

However, trying on some remote computer with an Intel Xeon processor tells a different story:

The system is not only vulnerable to L1 terminal fault, but also to Meltdown variant 3a and 4. Other variants of Spectre and Meltdown (not shown) are “NOT VULNERABLE” with mitigations already implemented.

Share this:

Support CNX Software! Donate via cryptocurrencies or become a Patron on Patreon

5 Replies to “Check for Spectre, Meltdown, and L1 Terminal Fault Vulnerabilities with Spectre-meltdown-checker Script”

  1. A nifty script, with one remark: on arm big.LITTLE it reports the CPU as the first encountered uarch, even though the checks are performed against all present uarchs — so for instance a machine with big A72 cores is properly identified as vulnerable to Spectre variants 1, 2, 3a & 4, even though the CPU might be reported as A53.

  2. I hate running unknown tools under sudo and preferred to read it first. That’s a very well written script, like I’ve not seen for a long time. And in addition it’s useful, maybe it will remind many admins that it’s still possible to write useful tools without having to install $whatever_new_language_of_the_day. As is often the case, well written scripts work well 🙂 Just an advice to the author, instead of requiring sudo for the whole script, it’s often better to have a SUDO variable in it for the rare commands that require sudo, and ask users to run “SUDO=sudo ./script”. This way they won’t expose their system to a random bug in the script at least.

  3. @cnx-software, using AMD CPU? Other people are not so lucky! See some pretty shocking stats about the effectiveness of those flaws in clouds, VPSes laptops, desktops, … as well as softwares (Web Browsers, OS, Antivirus, …)

    Summary of the patch status for Meltdown / Spectre

    Meltdown and Spectre .. for normal people:

    So, according to the results, if you are browsing the web, you may be targeting by hackers’ espionage through browser’s other tab! Multi-tab browsers became the new toy in the hands of hackers / intelligence agencies to get what they are looking for! I have just tested the script on my (brand new!) VPS and guess what? Their brand new Skylake VPS are vulnerable to all 4 versions and generic Ubuntu 18.04 was vulnerable to v3a, v4, Foreshadow (CVE-2018-3615/3620/3646).

    Special thanks to Intel guys!

  4. Check out “bug” in /proc/cpuinfo:

    My brandnew i3 (with Linux 4.1something)
    $ grep bug /proc/cpuinfo | sort -u
    bugs : cpu_meltdown spectre_v1 spectre_v2 spec_store_bypass

    An old XEON (with Linux 3.something)
    $ grep bug /proc/cpuinfo | sort -u
    fdiv_bug : no
    f00f_bug : no
    coma_bug : no

    An old Atom (with Linux 3.something)
    $ grep bug /proc/cpuinfo | sort -u
    coma_bug : no
    f00f_bug : no
    fdiv_bug : no

Leave a Reply

Your email address will not be published. Required fields are marked *