Advertisement
Guest User

Untitled

a guest
Oct 2nd, 2019
16
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.91 KB | None | 0 0
  1. Spectre and Meltdown mitigation detection tool v0.42-7-gf5ec320
  2.  
  3. Checking for vulnerabilities on current system
  4. Kernel is Linux 5.2.11-1-MANJARO #1 SMP PREEMPT Thu Aug 29 07:41:24 UTC 2019 x86_64
  5. CPU is Intel(R) Core(TM) i7-4700MQ CPU @ 2.40GHz
  6.  
  7. Hardware check
  8. * Hardware support (CPU microcode) for mitigation techniques
  9. * Indirect Branch Restricted Speculation (IBRS)
  10. * SPEC_CTRL MSR is available: YES
  11. * CPU indicates IBRS capability: YES (SPEC_CTRL feature bit)
  12. * Indirect Branch Prediction Barrier (IBPB)
  13. * PRED_CMD MSR is available: YES
  14. * CPU indicates IBPB capability: YES (SPEC_CTRL feature bit)
  15. * Single Thread Indirect Branch Predictors (STIBP)
  16. * SPEC_CTRL MSR is available: YES
  17. * CPU indicates STIBP capability: YES (Intel STIBP feature bit)
  18. * Speculative Store Bypass Disable (SSBD)
  19. * CPU indicates SSBD capability: YES (Intel SSBD)
  20. * L1 data cache invalidation
  21. * FLUSH_CMD MSR is available: YES
  22. * CPU indicates L1D flush capability: YES (L1D flush feature bit)
  23. * Microarchitectural Data Sampling
  24. * VERW instruction is available: YES (MD_CLEAR feature bit)
  25. * Enhanced IBRS (IBRS_ALL)
  26. * CPU indicates ARCH_CAPABILITIES MSR availability: NO
  27. * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
  28. * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): NO
  29. * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
  30. * CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO
  31. * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA): NO
  32. * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO): NO
  33. * CPU supports Software Guard Extensions (SGX): NO
  34. * CPU microcode is known to cause stability problems: NO (model 0x3c family 0x6 stepping 0x3 ucode 0x27 cpuid 0x306c3)
  35. * CPU microcode is the latest known available version: YES (latest version is 0x27 dated 2019/02/26 according to builtin MCExtractor DB v112 - 2019/05/22)
  36. * CPU vulnerability to the speculative execution attack variants
  37. * Vulnerable to CVE-2017-5753 (Spectre Variant 1, bounds check bypass): YES
  38. * Vulnerable to CVE-2017-5715 (Spectre Variant 2, branch target injection): YES
  39. * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): YES
  40. * Vulnerable to CVE-2018-3640 (Variant 3a, rogue system register read): YES
  41. * Vulnerable to CVE-2018-3639 (Variant 4, speculative store bypass): YES
  42. * Vulnerable to CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault): NO
  43. * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): YES
  44. * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): YES
  45. * Vulnerable to CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)): YES
  46. * Vulnerable to CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)): YES
  47. * Vulnerable to CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)): YES
  48. * Vulnerable to CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)): YES
  49.  
  50. CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
  51. * Mitigated according to the /sys interface: YES (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
  52. * Kernel has array_index_mask_nospec: YES (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
  53. * Kernel has the Red Hat/Ubuntu patch: NO
  54. * Kernel has mask_nospec64 (arm64): NO
  55. > STATUS: NOT VULNERABLE (Mitigation: usercopy/swapgs barriers and __user pointer sanitization)
  56.  
  57. CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
  58. * Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB filling)
  59. * Mitigation 1
  60. * Kernel is compiled with IBRS support: YES
  61. * IBRS enabled and active: YES (for firmware code only)
  62. * Kernel is compiled with IBPB support: YES
  63. * IBPB enabled and active: YES
  64. * Mitigation 2
  65. * Kernel has branch predictor hardening (arm): NO
  66. * Kernel compiled with retpoline option: YES
  67. * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
  68. > STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)
  69.  
  70. CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
  71. * Mitigated according to the /sys interface: YES (Mitigation: PTI)
  72. * Kernel supports Page Table Isolation (PTI): YES
  73. * PTI enabled and active: YES
  74. * Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
  75. * Running as a Xen PV DomU: NO
  76. > STATUS: NOT VULNERABLE (Mitigation: PTI)
  77.  
  78. CVE-2018-3640 aka 'Variant 3a, rogue system register read'
  79. * CPU microcode mitigates the vulnerability: YES
  80. > STATUS: NOT VULNERABLE (your CPU microcode mitigates the vulnerability)
  81.  
  82. CVE-2018-3639 aka 'Variant 4, speculative store bypass'
  83. * Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
  84. * Kernel supports disabling speculative store bypass (SSB): YES (found in /proc/self/status)
  85. * SSB mitigation is enabled and active: YES (per-thread through prctl)
  86. * SSB mitigation currently active for selected processes: YES (firefox haveged ModemManager systemd-journald systemd-logind systemd-timesyncd systemd-udevd upowerd)
  87. > STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
  88.  
  89. CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
  90. * CPU microcode mitigates the vulnerability: N/A
  91. > STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)
  92.  
  93. CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
  94. * Mitigated according to the /sys interface: YES (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable)
  95. * Kernel supports PTE inversion: YES (found in kernel image)
  96. * PTE inversion enabled and active: YES
  97. > STATUS: NOT VULNERABLE (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable)
  98.  
  99. CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
  100. * Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
  101. * This system is a host running a hypervisor: NO
  102. * Mitigation 1 (KVM)
  103. * EPT is disabled: NO
  104. * Mitigation 2
  105. * L1D flush is supported by kernel: YES (found flush_l1d in /proc/cpuinfo)
  106. * L1D flush enabled: YES (conditional flushes)
  107. * Hardware-backed L1D flush supported: YES (performance impact of the mitigation will be greatly reduced)
  108. * Hyper-Threading (SMT) is enabled: YES
  109. > STATUS: NOT VULNERABLE (this system is not running a hypervisor)
  110.  
  111. CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
  112. * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable)
  113. * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
  114. * Kernel mitigation is enabled and active: YES
  115. * SMT is either mitigated or disabled: NO
  116. > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
  117.  
  118. CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
  119. * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable)
  120. * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
  121. * Kernel mitigation is enabled and active: YES
  122. * SMT is either mitigated or disabled: NO
  123. > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
  124.  
  125. CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
  126. * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable)
  127. * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
  128. * Kernel mitigation is enabled and active: YES
  129. * SMT is either mitigated or disabled: NO
  130. > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
  131.  
  132. CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
  133. * Mitigated according to the /sys interface: YES (Mitigation: Clear CPU buffers; SMT vulnerable)
  134. * Kernel supports using MD_CLEAR mitigation: YES (md_clear found in /proc/cpuinfo)
  135. * Kernel mitigation is enabled and active: YES
  136. * SMT is either mitigated or disabled: NO
  137. > STATUS: NOT VULNERABLE (Your microcode and kernel are both up to date for this mitigation, and mitigation is enabled)
  138.  
  139. > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement