How to Check and Patch Meltdown CPU Vulnerability in Linux?
Here we will check and Patch Meltdown CPU Vulnerability in Linux. CPU hardware implementations are found vulnerable to side-channel attacks, They are known as:
Meltdown: It is a security vulnerability found in hardware that is affecting Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors too. Security boundaries enforced by the hardware get “melts” by a bug which is called Meltdown which may result in affecting desktops, laptops, and cloud computers. This vulnerability can allow data from any address that is mapped to the current process’s memory space to be read by any unauthorized process. Meltdown vulnerability results may end up risking passwords, encryption data, and any other sensitive information, from any address of any process that exists in its memory map.
For safeguarding ourselves from this type of vulnerability there comes a shell script called Spectre & Meltdown Checker to tell if our system is vulnerable against the several”Meltdown” & “speculative execution” CVEs (Common Vulnerabilities and Exposures). Spectre-meltdown-checker is a simple shell script to check if your Linux system is vulnerable against the “speculative execution” CVEs since 2018.
How does the script work For Linux systems? Well, the script detects mitigations, including that of backported non-vanilla patches, regardless of the advertised kernel version number and the distribution (such as Debian, Ubuntu, CentOS, RHEL, Fedora, OpenSUSE, Arch, …).
Spectre & Meltdown Checker
Step 1: Clone Spectre & Meltdown Checker from Github
git clone https://github.com/speed47/spectre-meltdown-checker.git
Step 2: Get inside the Spectre & Meltdown Checker directory
Step 3: Run the script
So from the above results, it is clear my CPU is not vulnerable
But if you find any of them vulnerable, you can simply update and upgrade your system and reboot it by using the following command:
$ sudo apt-get update $ sudo apt-get upgrade $ reboot
You can check whether your system is patched or unpatched using the following command:
grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched :)" || echo "unpatched :("