Misinterpretation of Intel docs is the root cause for the CVE-2018-8897 flaw in Hypervisors and OSs

Developers of major operating systems and hypervisors misread documentation from Intel and introduced a the CVE-2018-8897 vulnerability into to their products.

The development communities of major operating systems and hypervisors misread documentation from Intel and introduced a potentially serious vulnerability to their products.

The CERT/CC speculates the root cause of the flaw is the developers misinterpretation of existing documentation provided by chip manufacturers.

“The MOV SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction” states the advisory published by CERT/CC.

The flaw, tracked as CVE-2018-8897, relates the way the operating systems and hypervisors handle MOV/POP to SS instructions.

“In some circumstances, some operating systems or hypervisors may not expect or properly handle an Intel architecture hardware debug exception. The error appears to be due to developer interpretation of existing documentation for certain Intel architecture interrupt/exception instructions, namely MOV to SS and POP to SS.” continues the security advisory published by CERT/CC.

The CVE-2018-8897 flaw was discovered by the security experts Nick Peterson of Everdox Tech and Nemanja Mulasmajic of triplefault.io.

The CERT/CC published a security advisory to warn of the CVE-2018-8897 flaw that impact the Linux kernel and software developed by major tech firms including Apple, the DragonFly BSD Project, Red Hat, the FreeBSD Project, Microsoft, SUSE Linux, Canonical, VMware, and the Xen Project (CERT/CC published the complete list of companies whose products may be impacted)

An attacker needs local access to exploit the vulnerability and the impact depends on the specific vulnerable software. In the worst scenario, attackers can, potentially, gain access to sensitive memory information or control low-level operating system functions.

“Therefore, in certain circumstances after the use of certain Intel x86-64 architecture instructions, a debug exception pointing to data in a lower ring (for most operating systems, the kernel Ring 0 level) is made available to operating system components running in Ring 3.” continues the advisory.

“This may allow an attacker to utilize operating system APIs to gain access to sensitive memory information or control low-level operating system functions.”

Experts explained that in the case of Linux, the flaw can trigger a denial-of-service (DoS) condition or cause the crash of the kernel.

According to Microsoft, an attacker can exploit the security flaw on Windows for privilege escalation.

“An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the Microsoft’s kernel advisory

“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.”

Security patches for CVE-2018-8897 flaw have been released for many OS, including the Linux kernel, Windows, Xen, and Red Hat.”

Proof-of-concept (PoC) exploits have been released for Windows and Linux operating systems.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – CVE-2018-8897, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]