How to Check and Patch Meltdown CPU Vulnerability in Linux

Meltdown is a chip-level security vulnerability that breaks the most fundamental isolation between user programs and the operating system. It allows a program to access the operating system kernel’s and other programs’ private memory areas, and possibly steal sensitive data, such as passwords, crypto-keys and other secrets.

Spectre is a chip-level security flaw that breaks the isolation between different programs. It enables a hacker to trick error-free programs into leaking their sensitive data.

These flaws affect mobile devices, personal computers and cloud systems; depending on the cloud provider’s infrastructure, it might be possible to access/steal data from other customers.

We came across a useful shell script that scans your Linux system to verify whether your kernel has the known correct mitigations in place against Meltdown and Spectre attacks.

spectre-meltdown-checker is a simple shell script to check if your Linux system is vulnerable against the 3 “speculative executionCVEs (Common Vulnerabilities and Exposures) that were made public early this year. Once you run it, it will inspect your currently running kernel.

Optionally, if you have installed multiple kernels and you’d like to inspect a kernel you’re not running, you can specify a kernel image on the command line.

It will significantly try to detect mitigations, including backported non-vanilla patches, not considering the kernel version number advertised on the system. Note that you should launch this script with root privileges to get accurate information, using the sudo command.

$ git clone https://github.com/speed47/spectre-meltdown-checker.git 
$ cd spectre-meltdown-checker/
$ sudo ./spectre-meltdown-checker.sh
Check Meltdown and Spectre Vulnerabilities
Check Meltdown and Spectre Vulnerabilities

From the results of the above scan, our test kernel is vulnerable to the 3 CVEs. In addition, here are a few important points to note about these processor bugs:

  • If your system has a vulnerable processor and runs an unpatched kernel, it is not safe to work with sensitive information without the chance of leaking the information.
  • Fortunately, there are software patches against Meltdown and Spectre, with details provided in Meltdown and Spectre research homepage.

The latest Linux kernels have been redesigned to defang these processor security bug. Therefore update your kernel version and reboot the server to apply updates as shown.

$ sudo yum update      [On CentOS/RHEL]
$ sudo dnf update      [On Fedora]
$ sudo apt-get update  [On Debian/Ubuntu]
# pacman -Syu          [On Arch Linux]

After reboot make sure to scan again with spectre-meltdown-checker.sh script.

You can find a summary of the CVEs from the spectre-meltdown-checker Github repository.

If you read this far, tweet to the author to show them you care. Tweet a thanks
Aaron Kili
Aaron Kili is a Linux and F.O.S.S enthusiast, an upcoming Linux SysAdmin, web developer, and currently a content creator for TecMint who loves working with computers and strongly believes in sharing knowledge.

Each tutorial at TecMint is created by a team of experienced Linux system administrators so that it meets our high-quality standards.

Join the TecMint Weekly Newsletter (More Than 156,129 Linux Enthusiasts Have Subscribed)
Was this article helpful? Please add a comment or buy me a coffee to show your appreciation.

7 thoughts on “How to Check and Patch Meltdown CPU Vulnerability in Linux”

  1. I am running Ubuntu Mate 17.10 and ran process twice and still get vulnerable in ‘ Spectre Variant 1 and 2 ‘ , shows exactly what you have in example, is this still in the process of being fixed ? , or am I missing something .

    Reply
      • Thanks’ for the reply, updated to latest kernel ( 4.14.14 ) still shows vulnerable to ‘ Spectre Variant 1 and 2 ‘ , any thoughts would be appreciated, maybe try some older versions ?

        Reply
  2. I am running on an Antergos (Arch Based Distro). I ran the script and 2 of the 3 sectors had vulnerabilities. I went to upgrade and pacman is saying I have nothing to upgrade. How do I resolve this?

    Reply
    • @ganto

      Thanks a lot for the efforts and for sharing this useful information with us. We will definitely check it out and update the article to include this link.

      Reply

Got something to say? Join the discussion.

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Rest assured that your email address will remain private and will not be published or shared with anyone. We prioritize the privacy and security of our users.