Spectre, Meltdown vulnerabilities

  • 2
  • Question
  • Updated 3 months ago
Ran the Spectre and Meltdown detection tool on one of our switches running 3.4.2 on a Edgecore 4610-54T with ARM71 processor, here are the results:

Spectre and Meltdown mitigation detection tool v0.23

Checking for vulnerabilities against live running kernel Linux 4.1.0-cl-6-iproc #1 SMP Cumulus 4.1.33-1+cl3u9 (2017-08-11) armv7l

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel:  UNKNOWN  (missing 'readelf' tool, please install it, usually it's in the 'binutils' package)
> STATUS:  UNKNOWN  (impossible to check )

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
*   Hardware (CPU microcode) support for mitigation:  UNKNOWN  (couldn't read /dev/cpu/0/msr, is msr support enabled in your kernel?)
*   Kernel support for IBRS:  NO
*   IBRS enabled for Kernel space:  NO
*   IBRS enabled for User space:  NO
* Mitigation 2
*   Kernel compiled with retpoline option:  NO
*   Kernel compiled with a retpoline-aware compiler:  NO
> STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI):  NO
* PTI enabled and active:  NO
> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

Any plans for mitigation?
Photo of Troy MacDonald

Troy MacDonald

  • 720 Points 500 badge 2x thumb

Posted 3 months ago

  • 2
Photo of Pete B

Pete B, Official Rep

  • 2,774 Points 2k badge 2x thumb
Thanks for posting Troy. We are evaluating these vulnerabilities and will have updates available as soon as we can. If you want to stay up to date with security announcements, we do maintain a mailing list for them, so feel free to subscribe if you haven't already: https://lists.cumulusnetworks.com/listinfo/cumulus-security-announce

We issued a statement about these vulnerabilities last week in our knowledge base (https://support.cumulusnetworks.com/hc/en-us/articles/115015951667-Meltdown-and-Spectre-Modern-CPU-V...) and on our security mailing list (https://lists.cumulusnetworks.com/pipermail/cumulus-security-announce/2018-January/000011.html).