speed47 / spectre-meltdown-checker

Reptar, Downfall, Zenbleed, ZombieLoad, RIDL, Fallout, Foreshadow, Spectre, Meltdown vulnerability/mitigation checker for Linux & BSD
3.88k stars 476 forks source link

False Results? #143

Closed ghost closed 6 years ago

ghost commented 6 years ago

I ran following script on Amazon Linux 2017.09 which is using following kernel version: Linux ip-172-31-9-230 4.9.76-3.78.amzn1.x86_64 #1 SMP Fri Jan 12 19:51:35 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux. Script says variant 1(CVE-2017-5715) is vulnerable but amazon documentation says those kernels are fixed sources: https://aws.amazon.com/speculative-execution-os-updates/ https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

Ubuntu 14.04 and 16.04


As per the tables on https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown - kernel 3.13 for amd64 systems is protected from variant 1, variant 2 and Meltdown (the i386 version is only fully protected from variant 1 though).

root@ip-172-31-5-120:~/spectre-meltdown-checker# uname -a Linux ip-172-31-5-120 3.13.0-141-generic #190-Ubuntu SMP Fri Jan 19 12:52:38 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

The script reported similar errors: the variant 1 check was "unknown", the variant 2 was "vulnerable" and variant 3 was "not vulnerable".

The same issue was diagnosed in 16.04 - which ran the kernel version 4.4.0-1049-aws. This is protected as per the above Ubuntu documentation: "Cloud images created using 4.4.0-108.131 and its derivatives (for example, linux-aws 4.4.0-1047.56) have the mitigations for Meltdown." 4.4.0-1049-aws is higher than 4.4.0-1047.56 and therefore contains the patches, but the script diagnosed this system as vulnerable.

To summarize, I've patched 3 different instances with the latest available package updates offered by the official OS repository - none of them were found to be protected somehow. I would enquire with the script publisher as to what is their methodology of fixing the vulnerabilities detected, since there are no newer patches available for the issue the script detects; alternatively - are these false-positive results?

speed47 commented 6 years ago

Thanks for your report. I've been working on a branch to enhance detection for Canonical(Ubuntu) and RedHat versions of the patches, that are different from the upstream Linux kernel patches. Could you try it again with the redhat_canonical branch and report the results here ? ( https://raw.githubusercontent.com/speed47/spectre-meltdown-checker/redhat_canonical/spectre-meltdown-checker.sh ).

About the Amazon kernels, I don't know if they have their own version of the mitigation, different from the upstream, Canonical and RedHat ones, or not. If the above branch doesn't yield better results, would you be able to upload one of those kernels somewhere for me to have a look ? Thanks !

ghost commented 6 years ago

Thanks for your quick response. I cloned new branch redhat_canonical and ran the script on following OS ubuntu14.04,ubuntu16.04,redhat6.9,redhat7.x

Ubuntu14.04 kernel version: 3.13.0-141-generic and Ubuntu16.04 kernel version: 4.4.0-1049-aws according to ubuntu official documentation it's patched but script says variant1 as unknown, variant2 as vulnerable, variant3 as not vulnerable

For redhat6.9 kernel version: 2.6.32-696.20.1.el6.x86_64 ,redhat7.x kernel version: 3.10.0-327.36.1.el7.x86_64 it gives accurate information

speed47 commented 6 years ago

I tried a several kernels on this branch, including the Ubuntu 3.13.0-141.190-generic, is this the exact version you've tested or is this a slightly different one? Could you paste the entire output of the script in verbose mode, so we can find out why you're having different results?

About the 4.4.0-1049-aws, I assume from the name it's not an official Ubuntu kernel but an Amazon one, I couldn't test on any Amazon kernel, do you know if it's available for download somewhere? EDIT: found, it's packaged by Canonical, I never stumbled upon it, but the redhat_canonical branch correctly finds the mitigations:

$ ~/smc/spectre-meltdown-checker.sh --kernel boot/vmlinuz-4.4.0-1049-aws --map boot/System.map-4.4.0-1049-aws --config boot/config-4.4.0-1049-aws
Spectre and Meltdown mitigation detection tool v0.34+

Checking for vulnerabilities against specified kernel
CPU is Intel(R) Pentium(R) CPU G3420 @ 3.20GHz
Kernel image is Linux version 4.4.0-1049-aws (buildd@lcy01-amd64-001) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.5) ) #58-Ubuntu SMP Fri Jan 12 23:17:09 UTC 2018 (Ubuntu 4.4.0-1049.58-aws 4.4.98)

Hardware check
[...]
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Kernel has array_index_mask_nospec:  NO
* Kernel has the RedHat/Ubuntu patch:  YES
> STATUS:  NOT VULNERABLE  (Kernel source has been patched to mitigate the vulnerability (Canonical/RedHat patch))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  YES
  * Currently enabled features
    * IBRS enabled for Kernel space:  N/A  (not testable in offline mode)
    * IBRS enabled for User space:  N/A  (not testable in offline mode)
    * IBPB enabled:  N/A  (not testable in offline mode)
* Mitigation 2
  * Kernel compiled with retpoline option:  NO
  * Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  NOT VULNERABLE  (offline mode: IBRS/IBPB will mitigate the vulnerability if enabled at runtime)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  N/A  (can't verify if PTI is enabled in offline mode)
> STATUS:  NOT VULNERABLE  (offline mode: PTI will mitigate the vulnerability if enabled at runtime)

A false sense of security is worse than no security at all, see --disclaimer

Are you having a different result? (I tested the kernel from this package https://packages.ubuntu.com/xenial/amd64/linux-image-4.4.0-1049-aws/download )

Thanks!

ghost commented 6 years ago
ubuntu14 04

Yes, I'm having completely different results attached screenshot is for ubuntu14.04 and kernel version is 3.13.0-141-generic which is not exactly same as yours.

Also, security packages installed from this url: http://security.ubuntu.com trusty-security/universe Sources 293 kB]

speed47 commented 6 years ago

As shown in the script, you should install some packages for correct variant1 detection : binutils and strings

speed47 commented 6 years ago

For variant2, you are indeed vulnerable because your CPU microcode doesn't support IBRS yet (even if your kernel does). Intel is currently releasing updates, so depending on your CPU model, it should be in the following days/weeks