CVE-2018-8897 Information
Description
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer’s Manual (SDM) was mishandled in the development of some or all operating-system kernels resulting in unexpected behavior for DB exceptions that are deferred by MOV SS or POP SS as demonstrated by (for example) privilege escalation in Windows macOS some Xen configurations or FreeBSD or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs) data breakpoints and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL SYSENTER INT 3 etc. that transfers control to the operating system at CPL 3 the debug exception is delivered after the transfer to CPL 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Reference
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9 http://openwall.com/lists/oss-security/2018/05/08/1 http://openwall.com/lists/oss-security/2018/05/08/4 http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190921-01-debug-en http://www.securityfocus.com/bid/104071 http://www.securitytracker.com/id/1040744 http://www.securitytracker.com/id/1040849 http://www.securitytracker.com/id/1040861 http://www.securitytracker.com/id/1040866 http://www.securitytracker.com/id/1040882 https://access.redhat.com/errata/RHSA-2018:1318 https://access.redhat.com/errata/RHSA-2018:1319 https://access.redhat.com/errata/RHSA-2018:1345 https://access.redhat.com/errata/RHSA-2018:1346 https://access.redhat.com/errata/RHSA-2018:1347 https://access.redhat.com/errata/RHSA-2018:1348 https://access.redhat.com/errata/RHSA-2018:1349 https://access.redhat.com/errata/RHSA-2018:1350 https://access.redhat.com/errata/RHSA-2018:1351 https://access.redhat.com/errata/RHSA-2018:1352 https://access.redhat.com/errata/RHSA-2018:1353 https://access.redhat.com/errata/RHSA-2018:1354 https://access.redhat.com/errata/RHSA-2018:1355 https://access.redhat.com/errata/RHSA-2018:1524 https://bugzilla.redhat.com/show_bug.cgi?id=1567074 https://github.com/can1357/CVE-2018-8897/ https://github.com/torvalds/linux/commit/d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9 https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0 https://lists.debian.org/debian-lts-announce/2018/05/msg00015.html https://lists.debian.org/debian-lts-announce/2018/06/msg00000.html https://lists.debian.org/debian-lts-announce/2018/11/msg00013.html https://patchwork.kernel.org/patch/10386677/ https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8897 https://security.netapp.com/advisory/ntap-20180927-0002/ https://support.apple.com/HT208742 https://support.citrix.com/article/CTX234679 https://svnweb.freebsd.org/base?view=revision&revision=333368 https://usn.ubuntu.com/3641-1/ https://usn.ubuntu.com/3641-2/ https://www.debian.org/security/2018/dsa-4196 https://www.debian.org/security/2018/dsa-4201 https://www.exploit-db.com/exploits/44697/ https://www.exploit-db.com/exploits/45024/ https://www.freebsd.org/security/advisories/FreeBSD-SA-18:06.debugreg.asc https://www.kb.cert.org/vuls/id/631579 https://www.synology.com/support/security/Synology_SA_18_21 https://www.triplefault.io/2018/05/spurious-db-exceptions-with-pop-ss.html https://xenbits.xen.org/xsa/advisory-260.html
Attack Complexity
LOW
Privileges Required
LOW
User Interaction Required
LOW
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
7.8
Share on: