技术栈

主页 > 系统 >

检查你的系统中是不是还有Spectre & Meltdown漏洞

技术栈 - 中国领先的IT技术门户

概述

这两个漏洞详细的我就不多说了,自己去百度,反正这两个东西忙坏了云服务厂商就对了,目前只要你的系统更新过,不管windows,ios,安卓,mac还是linux,大部分都已经修补了,但是我们还是检查一下比较好。下面的检查只针对linux,我使用的是ubuntu,用windows的一般都是大神,网上有powershell的检测脚本,自己百度吧。

操作

首先clone下检查的脚本
git clone https://github.com/speed47/spectre-meltdown-checker.git
之后你会看见下面这些文件

➜  ~ cd spectre-meltdown-checker 
➜  spectre-meltdown-checker git:(master) ls
LICENSE  README.md  spectre-meltdown-checker.sh

执行这个脚本就好了,如果脚本没有可执行权限的话,执行
chmod +x spectre-meltdown-checker.sh
还有注意执行这个脚本要使用root用户

➜  spectre-meltdown-checker git:(master) sudo ./spectre-meltdown-checker.sh 
Spectre and Meltdown mitigation detection tool v0.28

Checking for vulnerabilities against running kernel Linux 4.13.0-26-generic #29~16.04.2-Ubuntu SMP Tue Jan 9 22:00:44 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  NO 
> STATUS:  VULNERABLE  (only 29 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  NO 
*   Kernel support for IBRS:  NO 
*   IBRS enabled for Kernel space:  NO 
*   IBRS enabled for User space:  NO 
* Mitigation 2
*   Kernel compiled with retpoline option:  NO 
*   Kernel compiled with a retpoline-aware compiler:  NO 
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES 
* PTI enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer

可以看到检查了3个cve我的最后一个> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)表示修补了,但是前面两个> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)表示没有被修补,我的ubuntu系统内核是
Linux bboysoul 4.13.0-26-generic #29~16.04.2-Ubuntu SMP Tue Jan 9 22:00:44 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
其实我是已经更新了的,为什么这样呢,我也不知道,还有我的内核更新日期你可以看到的是2018年1月9号的,我把这个脚本放在我的服务器上也检测过了,也是一样的结果。
ubuntu内核更新值得注意的是ubuntu server版本是不需要重启的但是desktop版本就要重启了。
其实不用这个脚本还有一种检测方法,输入下面三行任何一行的命令,如果显示patched,那么就表示你的系统是没有这个漏洞了

grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched :)" || echo "unpatched :("
grep cpu_insecure /proc/cpuinfo && echo "patched :)" || echo "unpatched :("
dmesg | grep "Kernel/User page tables isolation: enabled" && echo "patched :)" || echo "unpatched :("

实例

➜  ~ grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched :)" || echo "unpatched :("
CONFIG_PAGE_TABLE_ISOLATION=y
patched :)
➜  ~ grep cpu_insecure /proc/cpuinfo && echo "patched :)" || echo "unpatched :("
bugs        : cpu_insecure
bugs        : cpu_insecure
bugs        : cpu_insecure
bugs        : cpu_insecure
patched :)
➜  ~ dmesg | grep "Kernel/User page tables isolation: enabled" && echo "patched :)" || echo "unpatched :("
[    0.000000] Kernel/User page tables isolation: enabled
patched :)
➜  ~ 

欢迎关注Bboysoul的博客www.bboysoul.com
Have Fun

责任编辑:admin  二维码分享:
本文标签: echoKernelspectremeltdowncheckerNO
点击我更换图片

评论列表