Security

How to tell if your Linux machine is patched against Meltdown and Spectre

Jack Wallen walks you through the process of testing to see if your Linux machines have been patched for the Meltdown and Spectre vulnerabilities.

meltdown-spectre-header.png

Meltdown and Spectre have spent a lot of time in the spotlight lately—with good reason. Both of these vulnerabilities should be taken seriously. If you aren't aware of these two flaws, effectively they take advantage of CPU speculative instruction execution. The end result of the vulnerability is that, under the right conditions, data can be accessed.

SEE: Fresh Meltdown-Spectre warning as factory systems hit by post-patch glitches

All three of the main platforms, Windows, Linux, and macOS, have reportedly been patched for both Meltdown and Specter. But how can you know, for certain, the patch has been applied to your Linux machines? If you open a terminal window and issue the command uname -r and are returned with one of the following kernels, you are okay:

  • 4.14.12
  • 9.9.75
  • 4.4.110

Those are all stable kernels and if you're running a machine with Intel, AMD, or ARM processors, you need to check for this immediately. If your machine isn't running one of the above kernels, upgrade.

But what if you run a non-stable kernel? Maybe you've opted to go a cutting edge kernel and cannot be certain, based on a kernel release number, if your machine has been patched for Meltdown and Spectre. Or, for instance, you run a distribution like Elementary OS and your kernel (like mine) is 4.13.0-26? What then?

Fortunately, there's a quick way to find out if your running kernel has been patched against these vulnerabilities. What you do will depend upon your distribution. Let me show you.

Arch derivatives

If you're running Arch Linux or one of its derivatives, you need to open a terminal window and issue the following two commands:

zgrep CONFIG_PAGE_TABLE_ISOLATION /proc/config.gz
dmesg | grep iso

If your machine is patched against the vulnerabilities, the first command will return:

CONFIG_PAGE_TABLE_ISOLATION=y

The second command will return a message, indicating user page tables isolation has been enabled (Figure A).

Figure A

Figure A

A patched Arch Derivative.

If you do not see both of the above outputs, you need to immediately upgrade with the command:

sudo pacman -Syu

Ubuntu derivatives

For Ubuntu derivatives, open up your terminal window and issue the following command:

grep CONFIG_PAGE_TABLE_ISOLATION=y /boot/config-`uname -r` && echo "patched :)" || echo "unpatched :("

If your system is patched, the command will report as such (Figure B), otherwise it will indicate it is not so by returning unpatched :(.

Figure B

Figure B

An unpatched Ubuntu system.

If you see the unpatched warning, run an immediate upgrade. Your kernel should update. Reboot the system and then run the command a second time. The second iteration of the command should report the system has been patched (Figure C).

Figure C

Figure C

A patched Ubuntu system.

Other distributions

If you're not running either Arch or Ubuntu derivatives, there's a way for you to check as well. Open up a terminal window and issue the following command:

git clone https://github.com/speed47/spectre-meltdown-checker.git

NOTE: You will need to have git installed for the above command to run.

Once the above command completes, change into the newly created directory with the command cd spectre-meltdown-checker. Set the correct permissions for the checker file with the command chmod u+x spectre-meltdown-checker.sh and then execute the file with the command ./spectre-meltdown-checker.sh. The command will run its check and report immediately (Figure D).

Figure D

Figure D

CentOS patched against Meltdown and Spectre.

Now you know

At this point, you know for certain if your Linux distribution is patched against Meltdown and Spectre. If you find out that it isn't, make sure to upgrade the kernel immediately, otherwise your systems will be vulnerable.

Also See

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox