Misinterpretation of Intel docs is the root cause for the CVE-2018-8897 flaw in Hypervisors and Oss

Developers of major operating systems and hypervisors misread documentation from Intel and introduced a the CVE-2018-8897 vulnerability into to their products.

The development communities of major operating systems and hypervisors misread documentation from Intel and introduced a potentially serious vulnerability to their products.

The CERT/CC speculates the root cause of the flaw is the developers misinterpretation of existing documentation provided by chip manufacturers.

“The MOV SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction” states the advisory published by CERT/CC.

The flaw, tracked as CVE-2018-8897, relates the way the operating systems and hypervisors handle MOV/POP to SS instructions.

“In some circumstances, some operating systems or hypervisors may not expect or properly handle an Intel architecture hardware debug exception. The error appears to be due to developer interpretation of existing documentation for certain Intel architecture interrupt/exception instructions, namely MOV to SS and POP to SS.” continues the security advisorypublished by CERT/CC.

The CVE-2018-8897 flaw was discoveredby the security experts Nick Peterson of Everdox Tech and Nemanja Mulasmajic of triplefault.io.

The CERT/CC published a security advisory to warn of the CVE-2018-8897 flaw that impact the Linux kernel and software developed by major tech firms including Apple, the DragonFly BSD Project, Red Hat, the FreeBSD Project, Microsoft, SUSE Linux, Canonical, VMware, and the Xen Project (CERT/CC publishedthe complete list of companies whose products may be impacted)

An attacker needs local access to exploit the vulnerability and the impact depends on the specific vulnerable software. In the worst scenario, attackers can, potentially, gain access to sensitive memory information or control low-level operating system functions.

“Therefore, in certain circumstances after the use of certain Intel x86-64 architecture instructions, a debug exception pointing to data in a lower ring (for most operating systems, the kernel Ring 0 level) is made available to operating system components running in Ring 3.” continues the advisory.

“This may allow an attacker to utilize operating system APIs to gain access to sensitive memory information or control low-level operating system functions.”

Experts explained that in the case of Linux, the flaw can trigger a denial-of-service (DoS) condition or cause the crash of the kernel.

According to Microsoft, an attacker can exploit the security flaw on Windows for privilege escalation.

“An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the Microsoft’s kernel advisory

“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.”

Security patches for CVE-2018-8897 flaw have been released for many OS, including the Linux kernelWindowsXen, and Red Hat.”

Proof-of-concept (PoC) exploits have been released for Windows and Linux operating systems.

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase