diff --git a/README.md b/README.md index caf7159..474ce96 100644 --- a/README.md +++ b/README.md @@ -10,10 +10,10 @@ A shell script to tell if your system is vulnerable against the several "specula - CVE-2018-3615 [L1 terminal fault] aka 'Foreshadow (SGX)' - CVE-2018-3620 [L1 terminal fault] aka 'Foreshadow-NG (OS)' - CVE-2018-3646 [L1 terminal fault] aka 'Foreshadow-NG (VMM)' -- CVE-2018-12126 [MSBDS] Microarchitectural Store Buffer Data Sampling -- CVE-2018-12130 [MFBDS] Microarchitectural Fill Buffer Data Sampling -- CVE-2018-12127 [MLPDS] Microarchitectural Load Port Data Sampling -- CVE-2019-11091 [MDSUM] Microarchitectural Data Sampling Uncacheable Memory +- CVE-2018-12126 [microarchitectural store buffer data sampling (MSBDS)] aka 'Fallout' +- CVE-2018-12130 [microarchitectural fill buffer data sampling (MFBDS)] aka 'RIDL' +- CVE-2018-12127 [microarchitectural load port data sampling (MLPDS)] aka 'RIDL' +- CVE-2019-11091 [microarchitectural data sampling uncacheable memory (MDSUM)] aka 'RIDL' Supported operating systems: - Linux (all versions, flavors and distros) @@ -125,21 +125,25 @@ docker run --rm --privileged -v /boot:/boot:ro -v /dev/cpu:/dev/cpu:ro -v /lib/m - Impact: Kernel & System management mode - Mitigation: updated kernel (with PTE inversion) - Performance impact of the mitigation: negligible - + **CVE-2018-3646** l1 terminal fault (Foreshadow-NG VMM) - Impact: Virtualization software and Virtual Machine Monitors - - Mitigation: disable ept (extended page tables), disable hyper-threading (SMT), or - updated kernel (with L1d flush) + - Mitigation: disable ept (extended page tables), disable hyper-threading (SMT), or updated kernel (with L1d flush) - Performance impact of the mitigation: low to significant -**CVE-2018-12126** [MSBDS] Microarchitectural Store Buffer Data Sampling -**CVE-2018-12130** [MFBDS] Microarchitectural Fill Buffer Data Sampling -**CVE-2018-12127** [MLPDS] Microarchitectural Load Port Data Sampling -**CVE-2019-11091** [MDSUM] Microarchitectural Data Sampling Uncacheable Memory +**CVE-2018-12126** [MSBDS] Microarchitectural Store Buffer Data Sampling (Fallout) + +**CVE-2018-12130** [MFBDS] Microarchitectural Fill Buffer Data Sampling (RIDL) + +**CVE-2018-12127** [MLPDS] Microarchitectural Load Port Data Sampling (RIDL) + +**CVE-2019-11091** [MDSUM] Microarchitectural Data Sampling Uncacheable Memory (RIDL) - Impact: Kernel - Mitigation: microcode update + kernel update making possible to protect various CPU internal buffers from unprivilaged speculative access to data + - Performance impact of the mitigation: TBC + - Note: These 4 CVEs are similar and collectively named "MDS" vulnerabilities, the mitigation is identical same for all ## Understanding what this script does and doesn't diff --git a/spectre-meltdown-checker.sh b/spectre-meltdown-checker.sh index 83c528b..648aa5b 100755 --- a/spectre-meltdown-checker.sh +++ b/spectre-meltdown-checker.sh @@ -2354,7 +2354,6 @@ check_cpu() fi _info_nol " * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: " - mds_no=-1 capabilities_mds_no=-1 capabilities_rdcl_no=-1 capabilities_ibrs_all=-1 @@ -4269,13 +4268,13 @@ check_mds() if [ "$opt_live" != 1 ]; then pstatus blue N/A "not testable in offline mode" - pvulnstatus $cve UNK + pvulnstatus "$cve" UNK return fi if ! is_cpu_vulnerable "$cve" ; then # override status & msg in case CPU is not vulnerable after all - pvulnstatus $cve OK "your CPU vendor reported your CPU model as not vulnerable" + pvulnstatus "$cve" OK "your CPU vendor reported your CPU model as not vulnerable" return fi @@ -4312,11 +4311,11 @@ check_mds() fi if [ $mds_mitigated = 0 ];then - pvulnstatus $cve VULN + pvulnstatus "$cve" VULN elif [ $mds_mitigated = 1 ]; then - pvulnstatus $cve OK + pvulnstatus "$cve" OK else - pvulnstatus $cve UNK "further action may be needed to mitigate this vulnerability. For more info check Linux kernel Documentation/admin-guide/hw-vuln/mds.rst" + pvulnstatus "$cve" UNK "further action may be needed to mitigate this vulnerability. For more info check Linux kernel Documentation/admin-guide/hw-vuln/mds.rst" fi }