👾 Как проверить систему на уязвимости процессора

Аудит ИБ

Клонируйте репозиторий Spectre & Meltdown Checker, чтобы получить ” шелл скрипт для оценки устойчивости вашей системы к нескольким CVE, которые были опубликованы с начала 2018 года, и дать вам рекомендации по их устранению”.

$ git clone https://github.com/speed47/spectre-meltdown-checker.git
Cloning into 'spectre-meltdown-checker'...
remote: Enumerating objects: 1479, done.
remote: Counting objects: 100% (42/42), done.
remote: Compressing objects: 100% (19/19), done.
remote: Total 1479 (delta 24), reused 36 (delta 23), pack-reused 1437
Receiving objects: 100% (1479/1479), 774.42 KiB | 2.44 MiB/s, done.
Resolving deltas: 100% (923/923), done.

Измените рабочий каталог.

$ cd spectre-meltdown-checker

Проверьте параметры скрипта:

$ ./spectre-meltdown-checker.sh --help
Spectre and Meltdown mitigation detection tool v0.44-15-ga485c78

	Usage:
		Live mode (auto):   spectre-meltdown-checker.sh [options]
		Live mode (manual): spectre-meltdown-checker.sh [options] <[--kernel ] [--config ] [--map ]> --live
		Offline mode:       spectre-meltdown-checker.sh [options] <[--kernel ] [--config ] [--map ]>

	Modes:
		Two modes are available.

		First mode is the "live" mode (default), it does its best to find information about the currently running kernel.
		To run under this mode, just start the script without any option (you can also use --live explicitly)

		Second mode is the "offline" mode, where you can inspect a non-running kernel.
		This mode is automatically enabled when you specify the location of the kernel file, config and System.map files:

		--kernel kernel_file	specify a (possibly compressed) Linux or BSD kernel file
		--config kernel_config	specify a kernel config file (Linux only)
		--map kernel_map_file	specify a kernel System.map file (Linux only)

		If you want to use live mode while specifying the location of the kernel, config or map file yourself,
		you can add --live to the above options, to tell the script to run in live mode instead of the offline mode,
		which is enabled by default when at least one file is specified on the command line.

	Options:
		--no-color		don't use color codes
		--verbose, -v		increase verbosity level, possibly several times
		--explain		produce an additional human-readable explanation of actions to take to mitigate a vulnerability
		--paranoid		require IBPB to deem Variant 2 as mitigated
					also require SMT disabled + unconditional L1D flush to deem Foreshadow-NG VMM as mitigated
					also require SMT disabled to deem MDS vulnerabilities mitigated

		--no-sysfs		don't use the /sys interface even if present [Linux]
		--sysfs-only		only use the /sys interface, don't run our own checks [Linux]
		--coreos		special mode for CoreOS (use an ephemeral toolbox to inspect kernel) [Linux]

		--arch-prefix PREFIX	specify a prefix for cross-inspecting a kernel of a different arch, for example "aarch64-linux-gnu-",
					so that invoked tools will be prefixed with this (i.e. aarch64-linux-gnu-objdump)
		--batch text		produce machine readable output, this is the default if --batch is specified alone
		--batch short		produce only one line with the vulnerabilities separated by spaces
		--batch json		produce JSON output formatted for Puppet, Ansible, Chef...
		--batch nrpe		produce machine readable output formatted for NRPE
		--batch prometheus      produce output for consumption by prometheus-node-exporter

		--variant VARIANT	specify which variant you'd like to check, by default all variants are checked
					VARIANT can be one of 1, 2, 3, 3a, 4, l1tf, msbds, mfbds, mlpds, mdsum, taa, mcepsc, srbds
					can be specified multiple times (e.g. --variant 2 --variant 3)
		--cve [cve1,cve2,...]	specify which CVE you'd like to check, by default all supported CVEs are checked
		--hw-only		only check for CPU information, don't check for any variant
		--no-hw			skip CPU information and checks, if you're inspecting a kernel not to be run on this host
		--vmm [auto,yes,no]	override the detection of the presence of a hypervisor, default: auto
		--update-fwdb		update our local copy of the CPU microcodes versions database (using the awesome
					MCExtractor project and the Intel firmwares GitHub repository)
		--update-builtin-fwdb	same as --update-fwdb but update builtin DB inside the script itself
		--dump-mock-data	used to mimick a CPU on an other system, mainly used to help debugging this script

	Return codes:
		0 (not vulnerable), 2 (vulnerable), 3 (unknown), 255 (error)

	IMPORTANT:
	A false sense of security is worse than no security at all.
	Please use the --disclaimer option to understand exactly what this script does.

Просмотрим дисклеймер

$ ./spectre-meltdown-checker.sh --disclaimer
Spectre and Meltdown mitigation detection tool v0.44-15-ga485c78

Disclaimer:

This tool does its best to determine whether your system is immune (or has proper mitigations in place) for the
collectively named "speculative execution" vulnerabilities. It doesn't attempt to run any kind of exploit, and can't guarantee
that your system is secure, but rather helps you verifying whether your system has the known correct mitigations in place.
However, some mitigations could also exist in your kernel that this script doesn't know (yet) how to detect, or it might
falsely detect mitigations that in the end don't work as expected (for example, on backported or modified kernels).

Your system exposure also depends on your CPU. As of now, AMD and ARM processors are marked as immune to some or all of these
vulnerabilities (except some specific ARM models). All Intel processors manufactured since circa 1995 are thought to be vulnerable,
except some specific/old models, such as some early Atoms. Whatever processor one uses, one might seek more information
from the manufacturer of that processor and/or of the device in which it runs.

The nature of the discovered vulnerabilities being quite new, the landscape of vulnerable processors can be expected
to change over time, which is why this script makes the assumption that all CPUs are vulnerable, except if the manufacturer
explicitly stated otherwise in a verifiable public announcement.

Please also note that for Spectre vulnerabilities, all software can possibly be exploited, this tool only verifies that the
kernel (which is the core of the system) you're using has the proper protections in place. Verifying all the other software
is out of the scope of this tool. As a general measure, ensure you always have the most up to date stable versions of all
the software you use, especially for those who are exposed to the world, such as network daemons and browsers.

This tool has been released in the hope that it'll be useful, but don't use it to jump to conclusions about your security.

Оцените ситуацию.

$ sudo ./spectre-meltdown-checker.sh --explain
Spectre and Meltdown mitigation detection tool v0.44-15-ga485c78

Checking for vulnerabilities on current system
Kernel is Linux 5.11.0-34-generic #36-Ubuntu SMP Thu Aug 26 19:22:09 UTC 2021 x86_64
CPU is Intel(R) Core(TM) i5-4570S CPU @ 2.90GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  YES 
    * CPU indicates IBPB capability:  YES  (SPEC_CTRL feature bit)
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  YES 
    * CPU indicates STIBP capability:  YES  (Intel STIBP feature bit)
  * Speculative Store Bypass Disable (SSBD)
    * CPU indicates SSBD capability:  YES  (Intel SSBD)
  * L1 data cache invalidation
    * FLUSH_CMD MSR is available:  YES 
    * CPU indicates L1D flush capability:  YES  (L1D flush feature bit)
  * Microarchitectural Data Sampling
    * VERW instruction is available:  YES  (MD_CLEAR feature bit)
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO):  NO 
  * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO 
  * CPU/Hypervisor indicates L1D flushing is not necessary on this system:  NO 
  * Hypervisor indicates host CPU might be vulnerable to RSB underflow (RSBA):  NO 
  * CPU explicitly indicates not being vulnerable to Microarchitectural Data Sampling (MDS_NO):  NO 
  * CPU explicitly indicates not being vulnerable to TSX Asynchronous Abort (TAA_NO):  NO 
  * CPU explicitly indicates not being vulnerable to iTLB Multihit (PSCHANGE_MSC_NO):  NO 
  * CPU explicitly indicates having MSR for TSX control (TSX_CTRL_MSR):  NO 
  * CPU supports Transactional Synchronization Extensions (TSX):  NO 
  * CPU supports Software Guard Extensions (SGX):  NO 
  * CPU supports Special Register Buffer Data Sampling (SRBDS):  YES 
  * CPU microcode is known to cause stability problems:  NO  (family 0x6 model 0x3c stepping 0x3 ucode 0x28 cpuid 0x306c3)
  * CPU microcode is the latest known available version:  YES  (latest version is 0x28 dated 2019/11/12 according to builtin firmwares DB v191+i20210217)
* CPU vulnerability to the speculative execution attack variants
  * Affected by CVE-2017-5753 (Spectre Variant 1, bounds check bypass):  YES 
  * Affected by CVE-2017-5715 (Spectre Variant 2, branch target injection):  YES 
  * Affected by CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load):  YES 
  * Affected by CVE-2018-3640 (Variant 3a, rogue system register read):  YES 
  * Affected by CVE-2018-3639 (Variant 4, speculative store bypass):  YES 
  * Affected by CVE-2018-3615 (Foreshadow (SGX), L1 terminal fault):  NO 
  * Affected by CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault):  YES 
  * Affected by CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault):  YES 
  * Affected by CVE-2018-12126 (Fallout, microarchitectural store buffer data sampling (MSBDS)):  YES 
  * Affected by CVE-2018-12130 (ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)):  YES 
  * Affected by CVE-2018-12127 (RIDL, microarchitectural load port data sampling (MLPDS)):  YES 
  * Affected by CVE-2019-11091 (RIDL, microarchitectural data sampling uncacheable memory (MDSUM)):  YES 
  * Affected by CVE-2019-11135 (ZombieLoad V2, TSX Asynchronous Abort (TAA)):  NO 
  * Affected by CVE-2018-12207 (No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)):  YES 
  * Affected by CVE-2020-0543 (Special Register Buffer Data Sampling (SRBDS)):  YES 

CVE-2017-5753 aka 'Spectre Variant 1, bounds check bypass'
* Mitigated according to the /sys interface:  NO  (Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers)
* Kernel has array_index_mask_nospec:  YES  (1 occurrence(s) found of x86 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO 
* Kernel has mask_nospec64 (arm64):  NO 
* Kernel has array_index_nospec (arm64):  NO 
> STATUS:  VULNERABLE  (Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers)

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface:  NO  (Vulnerable, IBPB: disabled, STIBP: disabled)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES 
    * IBRS enabled and active:  UNKNOWN 
  * Kernel is compiled with IBPB support:  YES 
    * IBPB enabled and active:  YES 
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO 
  * Kernel compiled with retpoline option:  YES 
> STATUS:  VULNERABLE  (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)

> How to fix: To mitigate this vulnerability, you need either IBRS + IBPB, both requiring hardware support from your CPU microcode in addition to kernel support, or a kernel compiled with retpoline and IBPB, with retpoline requiring a retpoline-aware compiler (re-run this script with -v to know if your version of gcc is retpoline-aware) and IBPB requiring hardware support from your CPU microcode. The retpoline + IBPB approach is generally preferred as the performance impact is lower. More information about how to enable the missing bits for those two possible mitigations on your system follow. You only need to take one of the two approaches.

> How to fix: Both your CPU and your kernel have IBRS support, but it is currently disabled. You may enable it. Check in your distro's documentation on how to do this.

CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'
* Mitigated according to the /sys interface:  NO  (Vulnerable)
* Kernel supports Page Table Isolation (PTI):  YES 
  * PTI enabled and active:  NO 
  * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU:  NO 
> STATUS:  VULNERABLE  (PTI is needed to mitigate the vulnerability)

> How to fix: If you're using a distro kernel, upgrade your distro to get the latest kernel available. Otherwise, recompile the kernel with the CONFIG_PAGE_TABLE_ISOLATION option (named CONFIG_KAISER for some kernels), or the CONFIG_UNMAP_KERNEL_AT_EL0 option (for ARM64)

CVE-2018-3640 aka 'Variant 3a, rogue system register read'
* CPU microcode mitigates the vulnerability:  YES 
> STATUS:  NOT VULNERABLE  (your CPU microcode mitigates the vulnerability)

CVE-2018-3639 aka 'Variant 4, speculative store bypass'
* Mitigated according to the /sys interface:  NO  (Vulnerable)
* Kernel supports disabling speculative store bypass (SSB):  YES  (found in /proc/self/status)
* SSB mitigation is enabled and active:  NO 
> STATUS:  VULNERABLE  (your CPU and kernel both support SSBD but the mitigation is not active)

CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'
* CPU microcode mitigates the vulnerability:  N/A 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTE Inversion; VMX: vulnerable, SMT disabled)
* Kernel supports PTE inversion:  YES  (found in kernel image)
* PTE inversion enabled and active:  YES 
> STATUS:  NOT VULNERABLE  (Mitigation: PTE Inversion; VMX: vulnerable, SMT disabled)

CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface: Mitigation: PTE Inversion; VMX: vulnerable, SMT disabled
* This system is a host running a hypervisor:  NO 
* Mitigation 1 (KVM)
  * EPT is disabled:  NO 
* Mitigation 2
  * L1D flush is supported by kernel:  YES  (found flush_l1d in /proc/cpuinfo)
  * L1D flush enabled:  NO 
  * Hardware-backed L1D flush supported:  YES  (performance impact of the mitigation will be greatly reduced)
  * Hyper-Threading (SMT) is enabled:  NO 
> STATUS:  NOT VULNERABLE  (this system is not running a hypervisor)

CVE-2018-12126 aka 'Fallout, microarchitectural store buffer data sampling (MSBDS)'
* Mitigated according to the /sys interface:  NO  (Vulnerable; SMT disabled)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  NO 
* SMT is either mitigated or disabled:  YES 
> STATUS:  VULNERABLE  (Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active)

CVE-2018-12130 aka 'ZombieLoad, microarchitectural fill buffer data sampling (MFBDS)'
* Mitigated according to the /sys interface:  NO  (Vulnerable; SMT disabled)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  NO 
* SMT is either mitigated or disabled:  YES 
> STATUS:  VULNERABLE  (Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active)

CVE-2018-12127 aka 'RIDL, microarchitectural load port data sampling (MLPDS)'
* Mitigated according to the /sys interface:  NO  (Vulnerable; SMT disabled)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  NO 
* SMT is either mitigated or disabled:  YES 
> STATUS:  VULNERABLE  (Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active)

CVE-2019-11091 aka 'RIDL, microarchitectural data sampling uncacheable memory (MDSUM)'
* Mitigated according to the /sys interface:  NO  (Vulnerable; SMT disabled)
* Kernel supports using MD_CLEAR mitigation:  YES  (md_clear found in /proc/cpuinfo)
* Kernel mitigation is enabled and active:  NO 
* SMT is either mitigated or disabled:  YES 
> STATUS:  VULNERABLE  (Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active)

CVE-2019-11135 aka 'ZombieLoad V2, TSX Asynchronous Abort (TAA)'
* Mitigated according to the /sys interface:  YES  (Not affected)
* TAA mitigation is supported by kernel:  YES  (found tsx_async_abort in kernel image)
* TAA mitigation enabled and active:  NO 
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

CVE-2018-12207 aka 'No eXcuses, iTLB Multihit, machine check exception on page size changes (MCEPSC)'
* Mitigated according to the /sys interface:  UNKNOWN  (KVM: Vulnerable)
* This system is a host running a hypervisor:  NO 
* iTLB Multihit mitigation is supported by kernel:  YES  (found itlb_multihit in kernel image)
* iTLB Multihit mitigation enabled and active:  NO 
> STATUS:  NOT VULNERABLE  (this system is not running a hypervisor)

CVE-2020-0543 aka 'Special Register Buffer Data Sampling (SRBDS)'
* Mitigated according to the /sys interface:  NO  (Vulnerable)
* SRBDS mitigation control is supported by the kernel:  YES  (found SRBDS implementation evidence in kernel image. Your kernel is up to date for SRBDS mitigation)
* SRBDS mitigation control is enabled and active:  NO 
> STATUS:  NOT VULNERABLE  (Your microcode and kernel are both up to date for SRBDS mitigation control. Mitigation is enabled)

> SUMMARY: CVE-2017-5753:KO CVE-2017-5715:KO CVE-2017-5754:KO CVE-2018-3640:OK CVE-2018-3639:KO CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK

A false sense of security is worse than no security at all, see --disclaimer

Просмотр только уязвимостей:

$ sudo ./spectre-meltdown-checker.sh --batch nrpe
Vulnerable: CVE-2017-5753 CVE-2017-5715 CVE-2017-5754 CVE-2018-3639 CVE-2018-12126 CVE-2018-12130 CVE-2018-12127 CVE-2019-11091

Получим машиночитаемый вывод.

$ sudo ./spectre-meltdown-checker.sh --batch text
CVE-2017-5753: VULN (Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers)
CVE-2017-5715: VULN (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)
CVE-2017-5754: VULN (PTI is needed to mitigate the vulnerability)
CVE-2018-3640: OK (your CPU microcode mitigates the vulnerability)
CVE-2018-3639: VULN (your CPU and kernel both support SSBD but the mitigation is not active)
CVE-2018-3615: OK (your CPU vendor reported your CPU model as not vulnerable)
CVE-2018-3620: OK (Mitigation: PTE Inversion; VMX: vulnerable, SMT disabled)
CVE-2018-3646: OK (this system is not running a hypervisor)
CVE-2018-12126: VULN (Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active)
CVE-2018-12130: VULN (Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active)
CVE-2018-12127: VULN (Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active)
CVE-2019-11091: VULN (Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active)
CVE-2019-11135: OK (your CPU vendor reported your CPU model as not vulnerable)
CVE-2018-12207: OK (this system is not running a hypervisor)
CVE-2020-0543: OK (Your microcode and kernel are both up to date for SRBDS mitigation control. Mitigation is enabled)

Получим вывод в JSON:

$ sudo ./spectre-meltdown-checker.sh --batch json | jq .
[
  {
    "NAME": "SPECTRE VARIANT 1",
    "CVE": "CVE-2017-5753",
    "VULNERABLE": true,
    "INFOS": "Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers"
  },
  {
    "NAME": "SPECTRE VARIANT 2",
    "CVE": "CVE-2017-5715",
    "VULNERABLE": true,
    "INFOS": "IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability"
  },
  {
    "NAME": "MELTDOWN",
    "CVE": "CVE-2017-5754",
    "VULNERABLE": true,
    "INFOS": "PTI is needed to mitigate the vulnerability"
  },
  {
    "NAME": "VARIANT 3A",
    "CVE": "CVE-2018-3640",
    "VULNERABLE": false,
    "INFOS": "your CPU microcode mitigates the vulnerability"
  },
  {
    "NAME": "VARIANT 4",
    "CVE": "CVE-2018-3639",
    "VULNERABLE": true,
    "INFOS": "your CPU and kernel both support SSBD but the mitigation is not active"
  },
  {
    "NAME": "L1TF SGX",
    "CVE": "CVE-2018-3615",
    "VULNERABLE": false,
    "INFOS": "your CPU vendor reported your CPU model as not vulnerable"
  },
  {
    "NAME": "L1TF OS",
    "CVE": "CVE-2018-3620",
    "VULNERABLE": false,
    "INFOS": "Mitigation: PTE Inversion; VMX: vulnerable, SMT disabled"
  },
  {
    "NAME": "L1TF VMM",
    "CVE": "CVE-2018-3646",
    "VULNERABLE": false,
    "INFOS": "this system is not running a hypervisor"
  },
  {
    "NAME": "MSBDS",
    "CVE": "CVE-2018-12126",
    "VULNERABLE": true,
    "INFOS": "Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active"
  },
  {
    "NAME": "MFBDS",
    "CVE": "CVE-2018-12130",
    "VULNERABLE": true,
    "INFOS": "Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active"
  },
  {
    "NAME": "MLPDS",
    "CVE": "CVE-2018-12127",
    "VULNERABLE": true,
    "INFOS": "Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active"
  },
  {
    "NAME": "MDSUM",
    "CVE": "CVE-2019-11091",
    "VULNERABLE": true,
    "INFOS": "Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active"
  },
  {
    "NAME": "TAA",
    "CVE": "CVE-2019-11135",
    "VULNERABLE": false,
    "INFOS": "your CPU vendor reported your CPU model as not vulnerable"
  },
  {
    "NAME": "ITLBMH",
    "CVE": "CVE-2018-12207",
    "VULNERABLE": false,
    "INFOS": "this system is not running a hypervisor"
  },
  {
    "NAME": "SRBDS",
    "CVE": "CVE-2020-0543",
    "VULNERABLE": false,
    "INFOS": "Your microcode and kernel are both up to date for SRBDS mitigation control. Mitigation is enabled"
  }
]

Получение вывода для экспортера Prometheus.

$ sudo ./spectre-meltdown-checker.sh --batch prometheus
# TYPE specex_vuln_status untyped
# HELP specex_vuln_status Exposure of system to speculative execution vulnerabilities
specex_vuln_status{name="SPECTRE VARIANT 1",cve="CVE-2017-5753",status="VULN",info="Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers"} 1
specex_vuln_status{name="SPECTRE VARIANT 2",cve="CVE-2017-5715",status="VULN",info="IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability"} 1
specex_vuln_status{name="MELTDOWN",cve="CVE-2017-5754",status="VULN",info="PTI is needed to mitigate the vulnerability"} 1
specex_vuln_status{name="VARIANT 3A",cve="CVE-2018-3640",status="OK",info="your CPU microcode mitigates the vulnerability"} 1
specex_vuln_status{name="VARIANT 4",cve="CVE-2018-3639",status="VULN",info="your CPU and kernel both support SSBD but the mitigation is not active"} 1
specex_vuln_status{name="L1TF SGX",cve="CVE-2018-3615",status="OK",info="your CPU vendor reported your CPU model as not vulnerable"} 1
specex_vuln_status{name="L1TF OS",cve="CVE-2018-3620",status="OK",info="Mitigation: PTE Inversion; VMX: vulnerable, SMT disabled"} 1
specex_vuln_status{name="L1TF VMM",cve="CVE-2018-3646",status="OK",info="this system is not running a hypervisor"} 1
specex_vuln_status{name="MSBDS",cve="CVE-2018-12126",status="VULN",info="Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active"} 1
specex_vuln_status{name="MFBDS",cve="CVE-2018-12130",status="VULN",info="Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active"} 1
specex_vuln_status{name="MLPDS",cve="CVE-2018-12127",status="VULN",info="Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active"} 1
specex_vuln_status{name="MDSUM",cve="CVE-2019-11091",status="VULN",info="Your microcode and kernel are both up to date for this mitigation, but the mitigation is not active"} 1
specex_vuln_status{name="TAA",cve="CVE-2019-11135",status="OK",info="your CPU vendor reported your CPU model as not vulnerable"} 1
specex_vuln_status{name="ITLBMH",cve="CVE-2018-12207",status="OK",info="this system is not running a hypervisor"} 1
specex_vuln_status{name="SRBDS",cve="CVE-2020-0543",status="OK",info="Your microcode and kernel are both up to date for SRBDS mitigation control. Mitigation is enabled"} 1

Код выхода 2 будет означать, что данная система уязвима.

$ echo $?
2

См. также:

Добавить комментарий