How to Check and Patch Meltdown CPU Vulnerability in Linux?

Here we will check and Patch Meltdown CPU Vulnerability in Linux. CPU hardware implementations are found vulnerable to side-channel attacks, They are known as:

• Meltdown
• Spectre

Meltdown: It is a security vulnerability found in hardware that is affecting Intel x86 microprocessors, IBM POWER processors, and some ARM-based microprocessors too.  Security boundaries enforced by the hardware get “melts” by a bug which is called Meltdown which may result in affecting desktops, laptops, and cloud computers. This vulnerability can allow data from any address that is mapped to the current process’s memory space to be read by any unauthorized process. Meltdown vulnerability results may end up risking passwords, encryption data, and any other sensitive information, from any address of any process that exists in its memory map.

Spectre: It is a vulnerability affecting modern microprocessors that perform branch prediction. The name spectre is derived from “speculative execution” an optimization method in which a computer system performs some task, based on some prediction which may leave some side effects that result in revealing of private data to attackers. Spectre affects almost all devices including desktops, laptops, cloud servers, and smartphones  Spectre can trick a program to access arbitrary locations in the program’s memory space. Spectre can be remotely exploited by code hosted on some remote malicious web pages, by interpreted languages like JavaScript, that run locally using a web browser, After that the scripted malware would get all the access to the memory-mapped to the address space of the running browser.

For safeguarding ourselves from this type of vulnerability there comes a shell script called Spectre & Meltdown Checker to tell if our system is vulnerable against the several”Meltdown” & “speculative execution” CVEs (Common Vulnerabilities and Exposures). Spectre-meltdown-checker is a simple shell script to check if your Linux system is vulnerable against the “speculative execution” CVEs since 2018.

How does the script work For Linux systems? Well, the script detects mitigations, including that of backported non-vanilla patches, regardless of the advertised kernel version number and the distribution (such as Debian, Ubuntu, CentOS, RHEL, Fedora, OpenSUSE, Arch, …).

Spectre & Meltdown Checker

Step 1: Clone Spectre & Meltdown Checker from Github

git clone https://github.com/speed47/spectre-meltdown-checker.git 

Step 2: Get inside the Spectre & Meltdown Checker directory

cd spectre-meltdown-checker/

Step 3: Run the script

 sudo ./spectre-meltdown-checker.sh

So from the above results, it is clear my CPU is not vulnerable

But if you find any of them vulnerable, you can simply update and upgrade your system and reboot it by using the following command:

$ sudo apt-get update
$ sudo apt-get upgrade
$ reboot 

You can check whether your system is patched or unpatched using the following command:

grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched :)" || echo "unpatched :("