How To Verify Your Droplet is Protected From the MDS Vulnerability

Microarchitectural Data Sampling (MDS) Advisory: On 14 May 2019, Intel released a statement regarding Microarchitectural Data Sampling (MDS), a significant security vulnerability that affects cloud providers with multi-tenant environments, including DigitalOcean. In addition to the steps we are taking described on our blog, we strongly recommend that you update your internal Droplet kernels to ensure you have the latest available bug fixes and security patches.

Here are the steps to patch your Droplet for the Intel MDS vulnerability (also known as Zombieload) and to verify the patch applied successfully.

Upgrade the Droplet’s Kernel

Full steps, including explanations, for how to upgrade your Droplets’ kernels can be found on our article How to Upgrade to the Latest Kernel. Make sure you power off and power on the Droplet when done, as explained in that article.

Verify Patch

If your Droplet is running a Linux OS (Ubuntu, Debian, CentOS, Fedora), you can use the following command to verify that it has been patched:

    
        
            
cat /sys/devices/system/cpu/vulnerabilities/mds

        
    

A patched Droplet returns:

Mitigation: Clear CPU buffers; SMT Host state unknown

That file path only exists if the Droplet has been patched, so an unpatched Droplet returns:

cat: /sys/devices/system/cpu/vulnerabilities/mds: No such file or directory

If you’re using FreeBSD, you can find more information on this FreeBSD Security Advisory.

Resources