Skip to content

Releases: speed47/spectre-meltdown-checker

v0.46

26 Jul 16:10
Compare
Choose a tag to compare

This release mainly focuses on the detection of the new Zenbleed (CVE-2023-20593) vulnerability, among few other changes that were in line waiting for a release:

  • feat: detect the vulnerability and mitigation of Zenbleed (CVE-2023-20593)
  • feat: add the linux-firmware repository as another source for CPU microcode versions
  • feat: arm: add Neoverse-N2, Neoverse-V1 and Neoverse-V2
  • fix: docker: adding missing utils (#433)
  • feat: add support for Guix System kernel
  • fix: rewrite SQL to be sqlite3 >= 3.41 compatible (#443)
  • fix: a /devnull file was mistakenly created on the filesystem
  • fix: fwdb: ignore MCEdb versions where an official Intel version exists (fixes #430)

Thanks to the following contributors: @ShadowCurse and @rakino

v0.45

27 Mar 10:39
Compare
Choose a tag to compare

An intermediary release with preparatory work needed to integrate support for new vulns BHI and intra-mode BTI (Spectre V2-like), along with other changes that were in the pipe in the last few months:

  • feat: add --cpu, to conduct MSR read/writes and cpuinfo checks on a given CPU/core number. By default, the first core is used (id 0). --cpu all is also supported, to query all cores and report whether there is discrepancies between cores
  • feat: hardware check: add IPRED_CTRL, RRSBA_CTRL, and BHI_CTRL feature bits checks in cpuinfo, these are needed to mitigate BHI and Intra-mode BTI (https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/branch-history-injection.html)
  • feat: add subleaf (ecx) != 0 support for read_cpuid, needed to query support of new bits in the IA32_SPEC_CTRL MSR
  • feat: add --allow-msr-write, and no longer write to MSRs by default, to avoid spurious messages in kernel logs, as more and more distros default having msr.allow_writes to default (allow but log a warning) or even off, which prevents writing from userspace altogether. This also fixes #385. When the cpuid bit indicating the presence of a write-only MSR is set, we'll now make the assumption that it exists, unless --allow-msr-write is specified, in which case we'll also check that.
  • feat: bsd: for unimplemented CVEs, at least report when CPU is not affected
  • feat: bsd: implement mitigation detection for the MCEPSC vulnerability
  • feat: arm: add Cortex A77 and Neoverse-N1 (fixes #371)
  • feat: arm64: phytium: Add CPU Implementer Phytium
  • feat: arm64: variant 4: detect ssbd mitigation from kernel img, system.map or kconfig
  • feat: Android: autodetect a better suitable default TMPDIR (#415 #424)
  • fix: retpoline: detection on 5.15.28+ (#420)
  • fix: has_vmm false positive with pcp (#394)
  • fix: is_ucode_blacklisted: fix some model names
  • fix: refuse to run under MacOS and ESXi (#398)
  • fix: variant4: added case where prctl ssbd status is tagged as 'unknown'
  • fix: extract_kernel: don't overwrite kernel_err if already set
  • chore: only attempt to load msr and cpuid modules once
  • chore: read_cpuid/read_msr/write_msr: use named constants for better maintainability
  • chore: wording: model not vulnerable -> model not affected
  • chore: update Intel Family 6 models
  • chore: ensure vars are set before being de-referenced (set -u compat)
  • chore: update fwdb to v222+i20220208

v0.44

09 Nov 17:42
Compare
Choose a tag to compare

Quite a big release this time again:

  • feat: add support for SRBDS related vulnerabilities
  • feat: add zstd kernel decompression (#370)
  • enh: arm: add experimental support for binary arm images
  • enh: rsb filling: no longer need the 'strings' tool to check for kernel support in live mode
  • fix: fwdb: remove Intel extract tempdir on exit
  • fix: has_vmm: ignore kernel threads when looking for a hypervisor (fixes #278)
  • fix: fwdb: use the commit date as the intel fwdb version
  • fix: fwdb: update Intel's repository URL
  • fix: arm64: cve-2017-5753: kernels 4.19+ use a different nospec macro
  • fix: on CPU parse info under FreeBSD
  • chore: github: add check run on pull requests
  • chore: fwdb: update to v165.20201021+i20200616

v0.43

08 Dec 14:37
Compare
Choose a tag to compare

A lot of changes made it to this release:

  • feat: implement TAA detection (CVE-2019-11135)
  • feat: implement MCEPSC / iTLB Multihit detection (CVE-2018-12207)
  • feat: taa: add TSX_CTRL MSR detection in hardware info
  • feat: fwdb: use both Intel GitHub repo and MCEdb to build our firmware version database
  • feat: use --live with --kernel/--config/--map to override file detection in live mode
  • enh: rework the vuln logic of MDS with --paranoid (fixes #307)
  • enh: explain that Enhanced IBRS is better for performance than classic IBRS
  • enh: kernel: autodetect customized arch kernels from cmdline
  • enh: kernel decompression: better tolerance against missing tools
  • enh: mock: implement reading from /proc/cmdline
  • fix: variant3a: Silvermont CPUs are not vulnerable to variant 3a
  • fix: lockdown: detect Red Hat locked down kernels (impacts MSR writes)
  • fix: lockdown: detect locked down mode in vanilla 5.4+ kernels
  • fix: sgx: on locked down kernels, fallback to CPUID bit for detection
  • fix: fwdb: builtin version takes precedence if the local cached version is older
  • fix: pteinv: don't check kernel image if not available
  • fix: silence useless error from grep (fixes #322)
  • fix: msr: fix msr module detection under Ubuntu 19.10 (fixes #316)
  • fix: mocking value for read_msr
  • chore: rename mcedb cmdline parameters to fwdb, and change db version scheme
  • chore: fwdb: update to v130.20191104+i20191027
  • chore: add GitHub check workflow

v0.42

24 May 21:30
Compare
Choose a tag to compare
  • Feature: add FreeBSD MDS mitigation detection
  • Feature: add mocking functionality to help debugging, dump data to mock the behavior of your CPU with --dump-mock-data
  • Fix: AMD, ARM and CAVIUM are not vulnerable to MDS
  • Fix: RDCL_NO bit wasn't taking precedence for L1TF check on some newer Intel CPUs
  • Fix: The MDS_NO bit on newer Intel CPUs is now recognized and used
  • Fix: remove libvirtd from hypervisor detection to avoid false positives (#278)
  • Fix: under BSD, the data returned when reading MSR was incorrectly formatted
  • Misc: update builtin MCEdb from v110 to v111

v0.41

14 May 22:40
Compare
Choose a tag to compare
  • Feature: add support for the 4 MDS CVEs (CVE-2018-12126, CVE-2018-12130, CVE-2018-12127, CVE-2019-11091 / Fallout, RIDL, ZombieLoad)
  • Feature: add Spectre and Meltdown mitigation detection for Hygon CPU (#271)
  • Feature: for SSBD, report whether the mitigation is active (in live mode) (#210)
  • Enhancement: better Xen and hypervisors detection (#259) (#270)
  • Enhancement: in paranoid mode, assume we're running a hypervisor (for L1TF) unless stated otherwise
  • Enhancement: better detect Arch kernel image location (#268)
  • Fix: error when no process used prctl to set SSB mitigation
  • Fix: invalid names in json batch mode (#279)
  • Fix: IBRS kernel reported active even if sysfs had "IBRS_FW" only (#275) (#276)
  • Fix: load vmm under BSD if not already loaded (#274)
  • Fix: misdetection of files under Clear Linux (#264)
  • Misc: update MCEdb to v110
  • Misc: dozens of other fixes and enhancements

v0.40

03 Oct 18:58
Compare
Choose a tag to compare
  • Feature: add support for the 3 L1TF CVEs aka Foreshadow and Foreshadow-NG, under Linux and FreeBSD
  • Feature: use the excellent MCExtractor microcode versions database as reference to tell if CPU microcode is up to date, use --update-mcedb to update it (a builtin version is included)
  • Feature: add summary of vulnerabilites at the end of script
  • Feature: add a --batch short option for one line result
  • Enhancement: dynamically use git when available to better describe inter-release versions
  • Enhancement: add the --cve parameter to selectively test vulnerabilities
  • Fix: properly detect SSBD under BSD
  • Fix: --batch now implies --no-color to avoid colored warnings
  • Misc: dozens of other fixes and enhancements

v0.39

13 Aug 13:31
Compare
Choose a tag to compare
  • Feature: two new methods for reading MSR without a recent-enough dd binary: using perl or the msr-tools when these are present
  • Feature: add detection of RSBA feature bit (set by some hypervisors) indicating possible RSB underflow host CPU vulnerability, and require kernel support for RSB stuffing even on non-Skylake CPUs when this is the case
  • Feature: support for /boot partition on a btrfs subvolume (#226)
  • Feature: add standard location of Arch armv5/armv7 kernel image (#227)
  • Fix: the ARCH_CAPABILITIES MSR wasn't read correctly, preventing proper SSB_NO and RDCL_NO feature bits detection

v0.38

07 Aug 08:56
Compare
Choose a tag to compare
  • Feature: support detection for Variant 3a (CVE-2018-3640) and Variant 4 (CVE-2018-3639)
  • Feature: add Spectre v1 mitigation detection for ARM 32 bits
  • Feature: add Cavium CPU support and correct vulnerability information
  • Feature: add guess for kernel image location on Raspberry Pi 3
  • Feature: ability to run the script inside a Docker container (Dockerfile included)
  • Change: omit explanations by default to avoid cluttering the output, use --explain to get detailed mitigation help
  • Enhancement: explain mode: suggest to set VM CPU to an IBRS-capable one for hypervisors
  • Enhancement: avoid use of iflag=skip_bytes for compat with old dd versions
  • Fix: no longer unload msr or cpuid modules on exit if they were loaded before we started
  • Fix: when we can't determine if IBRS is enabled or not, report it as NO instead of UNKNOWN when we know that the CPU can't support it
  • Fix: variant2: detection now works under SLES kernels
  • Fix: ARM: update vulnerability info to latest vendor statement
  • Fix: ARM: ARMv8 models under Cortex A57 correctly marked as non-vulnerable (also fixes Raspberry Pi 3)
  • Fix: prometheus output wouldn't format \n correctly under some systems

v0.37

18 Apr 21:52
Compare
Choose a tag to compare
  • Feature: add a detailed explanation of "what to do" when system if found vulnerable against one of the vulnerabilities (skip with --no-explain)
  • Feature: rework output for IBRS/IBPB check and better detection for newer kernels (IBRS_FW, IBPB without IBRS, ...)
  • Feature: check for Red Hat 7/CentOS 7 specific retp_enabled knob in sysfs
  • Feature: detect arm64 Spectre Variant 1, Spectre Variant 2 and Meltdown (Variant 3) mitigations
  • Feature: add retpoline detection for BSD
  • Feature: add microcode information under BSD
  • Feature: add PTI performance check under BSD
  • Feature: add detection of AMD-specific STIBP, STIBP-always-on, IBRS, IBRS-always-on and IBRS-preferred CPUID feature flags
  • Feature: when ibpb_enabled=2 (Red Hat), warn if SMT is not disabled
  • Feature: detect whether the kernel supports RSB filling (important for Skylake+)
  • Feature: add --paranoid to make IBPB required in addition to retpoline for Variant 2
  • Refactor: don't test AMD-specific flags on Intel and Intel-specific flags on AMD for clarity
  • Fix: when PTI activation is unknown, don't say we're vulnerable
  • Fix: don't hide microcode information for AMD CPUs
  • Misc: other minor fixes and enhancements