Vulnerability Note VU#631579

Hardware debug exception documentation may result in unexpected behavior

Original Release date: 08 May 2018 | Last revised: 21 May 2018

Overview

In some circumstances, some operating systems or hypervisors may not expect or properly handle an Intel architecture hardware debug exception. The error appears to be due to developer interpretation of existing documentation for certain Intel architecture interrupt/exception instructions, namely MOV SS and POP SS.

Description

CWE-703: Improper Check or Handling of Exceptional Conditions - CVE-2018-8897

The MOV SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV SS or POP SS instruction itself). Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol 3A; section 2.3).

If the instruction following the MOV SS or POP SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at Current Privilege Level (CPL) < 3, a debug exception is delivered after the transfer to CPL < 3 is complete. Such deferred #DB exceptions by MOV SS and POP SS may result in unexpected behavior.

Therefore, in certain circumstances after the use of certain Intel x86-64 architecture instructions, a debug exception pointing to data in a lower ring (for most operating systems, the kernel Ring 0 level) is made available to operating system components running in Ring 3. This may allow an attacker to utilize operating system APIs to gain access to sensitive memory information or control low-level operating system functions.

Several operating systems appear to incorrectly handle this exception due to interpretation of potentially unclear existing documentation and guidance on the use of these instructions.

More details can be found in the researcher's paper.

Impact

An authenticated attacker may be able to read sensitive data in memory or control low-level operating system functions,

Solution

Apply an update

Check with your operating system or software vendor for updates to address this issue. There is no expected performance impact for applying an update. A list of affected vendors and currently-known updates is provided below.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
AppleAffected30 Apr 201808 May 2018
Check Point Software TechnologiesAffected30 Apr 201810 May 2018
DragonFly BSD ProjectAffected30 Apr 201801 May 2018
FreeBSD ProjectAffected30 Apr 201807 May 2018
Linux KernelAffected-08 May 2018
MicrosoftAffected30 Apr 201801 May 2018
Red Hat, Inc.Affected30 Apr 201808 May 2018
SUSE LinuxAffected30 Apr 201807 May 2018
SynologyAffected30 Apr 201809 May 2018
UbuntuAffected30 Apr 201801 May 2018
UbuntuAffected30 Apr 201808 May 2018
VMwareAffected30 Apr 201807 May 2018
XenAffected01 May 201801 May 2018
eeroNot Affected30 Apr 201808 May 2018
IntelNot Affected30 Apr 201809 May 2018
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal 5.3 E:POC/RL:OF/RC:C
Environmental 5.3 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

Microsoft and Intel credit Nick Peterson of Everdox Tech, LLC, for responsibly reporting this vulnerability and working with the group on coordinated disclosure. Andy Lutomirski is also credited for assistance in documenting the vulnerability for Linux.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs: CVE-2018-8897
  • Date Public: 08 May 2018
  • Date First Published: 08 May 2018
  • Date Last Updated: 21 May 2018
  • Document Revision: 100

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.