3e757b6177
chore: add github check workflow
2019-11-18 11:28:20 -08:00
f724f94085
enh: kernel: autodetect customized arch kernels from cmdline
2019-11-17 13:36:52 -08:00
dcf540888d
enh: mock: implement reading from /proc/cmdline
2019-11-17 13:36:52 -08:00
9911c243b2
feat: use --live with --kernel/--config/--map to override file detection in live mode
2019-11-17 13:36:52 -08:00
cb279a49ec
enh(taa): more complete version
2019-11-13 01:07:10 +01:00
c100ce4c0d
mcedb: update from v112 to v130
2019-11-12 21:19:03 +01:00
4741b06160
fix: batch mode for TAA
2019-11-12 21:16:21 +01:00
e0a1c2ec77
fix shellcheck warnings
2019-11-12 20:06:12 +01:00
c18b88d745
Fixing typo
2019-11-12 19:40:47 +01:00
d623524342
Added support for TAA related vulnerabilities
2019-11-12 19:40:47 +01:00
f5ec320fe5
enh: rework the vuln logic of MDS with --paranoid ( fixes #307 )
2019-09-22 04:02:33 +02:00
cc224c0522
fix: mocking value for read_msr
...
we were returning the mocking value before actually setting it.
also remove spaces around the returned value (no behavior change)
2019-09-22 01:38:18 +02:00
0518604fe6
Use kernel_err to avoid misreporting missing Linux kernel image
...
When checking for CVE-2017-5715 (i.e. `check_CVE_2017_5715_linux()`),
if we can't inspect (with `readelf`) or decompress the Linux kernel
image, then we report there is no kernel image (i.e. `we need the
kernel image` or `kernel image missing`, respectively), which confuses
users when the associated file exists.
Instead use `kernel_err` to provide a correct and detailed description
of the problem (e.g. `missing '...' tool, please install it, usually
it's in the '...' package`), so the user can take the prescribed
action.
2019-09-22 01:09:58 +02:00
d57fecec91
spectre-meltdown-checker.sh: fix typos
2019-09-20 23:50:52 +02:00
f835f4d07d
Explain that Enhanced IBRS is better for performance than classic IBRS
2019-08-16 12:53:39 +02:00
482d6c200a
Enhanced IBRS capabilities
...
There are two flavors of IBRS: plain and enhanced. This patch tells which flavor of IBRS is in use.
2019-08-16 12:53:39 +02:00
91d0699029
update MCEdb from v111 to v112
2019-06-03 22:49:03 +02:00
fcc4ff4de2
update MCEdb from v110 to v111, bump to v0.42
2019-05-24 22:49:45 +02:00
0bd38ddda0
enh: -v -v now implies --dump-mock-data
2019-05-24 11:36:39 +02:00
e83dc818cd
feat(mds): implement FreeBSD mitigation detection
2019-05-24 11:17:04 +02:00
d69ea67101
feat(mock): add --dump-mock-data
2019-05-24 10:49:40 +02:00
dfe0d10f2a
fix(mds): remove useless display of MD_CLEAR info in non-hw section
2019-05-24 10:20:48 +02:00
58a5acfdbb
fix(bsd): read_msr returned data in an incorrect format
2019-05-24 09:33:56 +02:00
ccb4dbef7c
enh(mock): avoid reading the sysfs interface outside sys_interface_check() for higher mocking coverage
2019-05-24 09:28:18 +02:00
afbb26277f
feat(mock): add mocking functionality to help reproducing issues under specific CPUs
2019-05-24 09:28:18 +02:00
77b34d48c6
fix(mds): check MDS_NO bit in is_cpu_mds_free()
2019-05-24 09:28:18 +02:00
497efe6a82
fix(l1tf): RDCL_NO bit didn't take precedence for vulnerability check on some Intel CPUs
2019-05-24 09:28:18 +02:00
62b46df4e7
fix(l1tf): remove libvirtd from hypervisor detection ( #278 )
2019-05-18 14:22:42 +02:00
7d1f269bed
fix(mds): AMD confirms they're not vulnerable
2019-05-16 11:31:28 +02:00
4f9ca803c8
Fix help text ( #285 )
...
* fix --help message
Commit 7b72c20f898e870db4f5
2019-05-15 19:34:51 +02:00
5788cec18b
fix(mds): ARM and CAVIUM are not thought to be vulnerable
2019-05-15 10:56:49 +02:00
ae56ec0bc5
bump to v0.41
2019-05-15 09:57:28 +02:00
871443c9db
fix typos in README
2019-05-15 00:28:55 +02:00
8fd4e3ab01
fix(xen): remove xenbus and xenwatch as they also exist in domU
2019-05-15 00:23:05 +02:00
de793a7204
feat(mds): more verbose info about kernel support and microcode support for mitigation
2019-05-15 00:21:08 +02:00
11790027d3
feat(mds): add alias ZombieLoad for CVE-2018-12130
2019-05-14 21:42:36 +02:00
5939c38c5c
update mcedb from v109 to v110 to better detect MDS microcodes
2019-05-14 20:31:27 +02:00
db7d3206fd
feat(mds): add detection of availability of MD_CLEAR instruction
2019-05-14 20:30:47 +02:00
1d13a423b8
adjust README
2019-05-14 20:16:01 +02:00
8e870db4f5
Added support for MDS related vulnerabilities ( #282 )
2019-05-14 19:21:20 +02:00
d547ce4ab4
fix(ssb): fix error when no process uses prctl to set ssb mitigation
...
fixes #281
2019-05-13 15:35:58 +02:00
d187827841
enh(vmm): add Xen daemons detection
2019-05-08 20:44:54 +02:00
2e304ec617
enh(xen): improvements for xen systems ( #270 )
...
* add mitigation detection for l1tf for xen based systems
* add information for hardware mitigation
* add xen support for meltdown
2019-05-07 20:35:52 +02:00
fcc04437e8
update builtin MCEdb from v96 to v109
2019-05-07 20:29:59 +02:00
d31a9810e6
enhance previous commit logic
2019-05-05 20:09:53 +02:00
4edb867def
fix(vmm): revert to checking the running processes to detect a hypervisor
...
More information available on #278
2019-05-05 20:04:25 +02:00
1264b1c7a3
chore: more shellcheck 0.6 fixes
2019-05-05 18:34:09 +02:00
7beca1ac50
fix: invalid names in json batch mode ( fixes #279 )
2019-05-05 18:15:41 +02:00
8ad10e15d3
chore: Comply with Shellcheck SC2209 ( #280 )
2019-05-05 17:31:18 +02:00
bfa4de96e6
enh(l1tf): in paranoid mode, assume we're running a hypervisor unless stated otherwise
...
This change ensures we check for SMT and advise the user to disable it for maximum security.
Doing this, we'll help users mitigate a whole range of vulnerabilities taking advantage of SMT to attack purely from userland other userland processes, as seen in CVE-2018-5407 (also see #261 )
2019-04-21 14:05:43 +02:00
Stéphane Lesimple
Agata Gruza
Corey Wright
Erik Zettel
David Guglielmi
Erich Ritz
Hans-Joachim Kliemeck
David