search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Hardware debug exception documentation may result in unexpected behavior

Vulnerability Note VU#631579

Original Release Date: 2018-05-08 | Last Revised: 2018-06-06

Overview

In some circumstances, some operating systems or hypervisors may not expect or properly handle an Intel architecture hardware debug exception. The error appears to be due to developer interpretation of existing documentation for certain Intel architecture interrupt/exception instructions, namely MOV SS and POP SS.

Description

CWE-703: Improper Check or Handling of Exceptional Conditions - CVE-2018-8897

The MOV SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV SS or POP SS instruction itself). Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol 3A; section 2.3).

If the instruction following the MOV SS or POP SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at Current Privilege Level (CPL) < 3, a debug exception is delivered after the transfer to CPL < 3 is complete. Such deferred #DB exceptions by MOV SS and POP SS may result in unexpected behavior.

Therefore, in certain circumstances after the use of certain Intel x86-64 architecture instructions, a debug exception pointing to data in a lower ring (for most operating systems, the kernel Ring 0 level) is made available to operating system components running in Ring 3. This may allow an attacker to utilize operating system APIs to gain access to sensitive memory information or control low-level operating system functions.

Several operating systems appear to incorrectly handle this exception due to interpretation of potentially unclear existing documentation and guidance on the use of these instructions.

More details can be found in the researcher's paper.

Impact

An authenticated attacker may be able to read sensitive data in memory or control low-level operating system functions,

Solution

Apply an update

Check with your operating system or software vendor for updates to address this issue. There is no expected performance impact for applying an update. A list of affected vendors and currently-known updates is provided below.

Vendor Information

631579
 
Affected   Unknown   Unaffected

Apple

Notified:  May 01, 2018 Updated:  May 08, 2018

Statement Date:   May 08, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Apple has released a Security Update 2018-001 to address this issue.

Vendor References

Check Point Software Technologies

Notified:  May 01, 2018 Updated:  May 10, 2018

Statement Date:   May 10, 2018

Status

  Affected

Vendor Statement

Check Point sees these as non-exploitable, taking our business logic and best practices into consideration.

See details at SecureKnowledge sk126534.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

DragonFly BSD Project

Notified:  May 01, 2018 Updated:  May 01, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD Project

Notified:  April 30, 2018 Updated:  May 07, 2018

Statement Date:   May 07, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

More information is available in the FreeBSD Security Advisory 18:06.

Vendor References

Linux Kernel

Updated:  May 08, 2018

Statement Date:   May 08, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The issue was fixed upstream on March 23, with Linux "stable" branches was fixed shortly thereafter. Therefore the following kernels (or higher) contain the patch: 4.15.14, 4.14.31, 4.9.91, 4.4.125. The older 4.1, 3.16, and 3.2 branches are also affected.

Microsoft

Notified:  May 01, 2018 Updated:  May 01, 2018

Statement Date:   May 01, 2018

Status

  Affected

Vendor Statement

The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Red Hat, Inc.

Notified:  May 01, 2018 Updated:  May 08, 2018

Statement Date:   May 08, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Red Hat Enterprise Linux is affected. Please see the security advisory for more information.

Vendor References

Ubuntu

Notified:  May 01, 2018 Updated:  May 01, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu

Notified:  May 01, 2018 Updated:  May 08, 2018

Statement Date:   May 08, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see Ubuntu Security Notices USN-3641-1 and USN-3641-2 for more details.

Vendor References

VMware

Notified:  May 01, 2018 Updated:  May 07, 2018

Statement Date:   May 07, 2018

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

VMware has issued a statement about this vulnerability report. Please see the statement for full details.

Vendor References

Xen

Notified:  May 01, 2018 Updated:  May 01, 2018

Statement Date:   May 01, 2018

Status

  Affected

Vendor Statement

All versions of Xen are vulnerable. Only x86 systems are vulnerable.  ARM systems are not vulnerable.

Only x86 PV guests can exploit the vulnerability.  x86 HVM and PVH guests cannot exploit the vulnerability.

An attacker needs to be able to control hardware debugging facilities to exploit the vulnerability, but such permissions are typically available to unprivileged users.
 

MITIGATION
==========

Running only HVM or PVH guests avoids the vulnerability.

Note however that a compromised device model (running in dom0 or a stub domain) can carry out this attack, so users with HVM domains are also advised to patch their systems.


RESOLUTION
==========
Applying the appropriate attached patch resolves this issue.

Vendor Information

For the full statement, please see Xen Advisory 260.

Vendor References

Brocade Communication Systems

Notified:  May 01, 2018 Updated:  May 30, 2018

Statement Date:   May 27, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intel

Notified:  May 01, 2018 Updated:  May 09, 2018

Statement Date:   May 05, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

At this time, we are not aware of any Intel Products affected by CVE-2018-8897.

Vendor References

Joyent

Notified:  May 01, 2018 Updated:  May 01, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

SmartOS does not allow access to the debug register outside of debug mode and so is not affected.

NetBSD

Notified:  May 01, 2018 Updated:  May 01, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

NetBSD does not support debug register and so is not affected.

OpenBSD

Notified:  May 01, 2018 Updated:  May 08, 2018

Statement Date:   May 08, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

QUALCOMM Incorporated

Notified:  May 01, 2018 Updated:  June 06, 2018

Statement Date:   June 05, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ZyXEL

Notified:  May 01, 2018 Updated:  May 21, 2018

Statement Date:   May 14, 2018

Status

  Not Affected

Vendor Statement

No Zyxel products are vulnerable to unexpected operating system behavior resulting from an Intel architecture hardware debug exception, as reported in [CERT/CC] vulnerability note VU#631579 at https://www.kb.cert.org/vuls/id/631579.

Vendor Information

Zyxel has issued Zyxel-SA-1135-01 stating that no products are affected.

eero

Notified:  May 01, 2018 Updated:  May 08, 2018

Statement Date:   May 08, 2018

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

3com Inc

Notified:  May 01, 2018 Updated:  April 30, 2018

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    ACCESS

    Notified:  May 01, 2018 Updated:  April 30, 2018

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      ADTRAN

      Notified:  May 01, 2018 Updated:  April 30, 2018

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        ARRIS

        Notified:  May 01, 2018 Updated:  April 30, 2018

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          ASP Linux

          Notified:  May 01, 2018 Updated:  April 30, 2018

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            AT&T

            Notified:  May 01, 2018 Updated:  April 30, 2018

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              AVM GmbH

              Notified:  May 01, 2018 Updated:  April 30, 2018

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Actiontec

                Notified:  May 01, 2018 Updated:  April 30, 2018

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  AirWatch

                  Notified:  May 01, 2018 Updated:  April 30, 2018

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    Alcatel-Lucent Enterprise

                    Notified:  May 01, 2018 Updated:  April 30, 2018

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      Appgate Network Security

                      Notified:  May 01, 2018 Updated:  April 30, 2018

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        Arch Linux

                        Notified:  May 01, 2018 Updated:  April 30, 2018

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          Arista Networks, Inc.

                          Notified:  May 01, 2018 Updated:  April 30, 2018

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            AsusTek Computer Inc.

                            Notified:  May 01, 2018 Updated:  April 30, 2018

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              Avaya, Inc.

                              Notified:  May 01, 2018 Updated:  April 30, 2018

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                Belkin, Inc.

                                Notified:  May 01, 2018 Updated:  April 30, 2018

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  BlackBerry

                                  Notified:  May 01, 2018 Updated:  April 30, 2018

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    BlueCat Networks, Inc.

                                    Notified:  May 01, 2018 Updated:  April 30, 2018

                                    Status

                                      Unknown

                                    Vendor Statement

                                    No statement is currently available from the vendor regarding this vulnerability.

                                    Vendor References

                                      Broadcom

                                      Notified:  May 01, 2018 Updated:  April 30, 2018

                                      Status

                                        Unknown

                                      Vendor Statement

                                      No statement is currently available from the vendor regarding this vulnerability.

                                      Vendor References

                                        CA Technologies

                                        Notified:  May 01, 2018 Updated:  April 30, 2018

                                        Status

                                          Unknown

                                        Vendor Statement

                                        No statement is currently available from the vendor regarding this vulnerability.

                                        Vendor References

                                          Cambium Networks

                                          Notified:  May 01, 2018 Updated:  April 30, 2018

                                          Status

                                            Unknown

                                          Vendor Statement

                                          No statement is currently available from the vendor regarding this vulnerability.

                                          Vendor References

                                            Cisco

                                            Notified:  May 01, 2018 Updated:  April 30, 2018

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor References

                                              Command Software Systems

                                              Notified:  May 01, 2018 Updated:  April 30, 2018

                                              Status

                                                Unknown

                                              Vendor Statement

                                              No statement is currently available from the vendor regarding this vulnerability.

                                              Vendor References

                                                CoreOS

                                                Notified:  May 01, 2018 Updated:  April 30, 2018

                                                Status

                                                  Unknown

                                                Vendor Statement

                                                No statement is currently available from the vendor regarding this vulnerability.

                                                Vendor References

                                                  D-Link Systems, Inc.

                                                  Notified:  May 01, 2018 Updated:  April 30, 2018

                                                  Status

                                                    Unknown

                                                  Vendor Statement

                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                  Vendor References

                                                    Debian GNU/Linux

                                                    Notified:  May 01, 2018 Updated:  April 30, 2018

                                                    Status

                                                      Unknown

                                                    Vendor Statement

                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                    Vendor References

                                                      Dell

                                                      Notified:  May 01, 2018 Updated:  April 30, 2018

                                                      Status

                                                        Unknown

                                                      Vendor Statement

                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                      Vendor References

                                                        Dell EMC

                                                        Notified:  May 01, 2018 Updated:  April 30, 2018

                                                        Status

                                                          Unknown

                                                        Vendor Statement

                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                        Vendor References

                                                          Deutsche Telekom

                                                          Notified:  May 01, 2018 Updated:  April 30, 2018

                                                          Status

                                                            Unknown

                                                          Vendor Statement

                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                          Vendor References

                                                            Devicescape

                                                            Notified:  May 01, 2018 Updated:  April 30, 2018

                                                            Status

                                                              Unknown

                                                            Vendor Statement

                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                            Vendor References

                                                              Digi International

                                                              Notified:  May 01, 2018 Updated:  April 30, 2018

                                                              Status

                                                                Unknown

                                                              Vendor Statement

                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                              Vendor References

                                                                Espressif Systems

                                                                Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                Status

                                                                  Unknown

                                                                Vendor Statement

                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                Vendor References

                                                                  Fedora Project

                                                                  Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                  Status

                                                                    Unknown

                                                                  Vendor Statement

                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                  Vendor References

                                                                    Force10 Networks

                                                                    Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                    Status

                                                                      Unknown

                                                                    Vendor Statement

                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                    Vendor References

                                                                      GNU glibc

                                                                      Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                      Status

                                                                        Unknown

                                                                      Vendor Statement

                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                      Vendor References

                                                                        Gentoo Linux

                                                                        Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                        Status

                                                                          Unknown

                                                                        Vendor Statement

                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                        Vendor References

                                                                          Google

                                                                          Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                          Status

                                                                            Unknown

                                                                          Vendor Statement

                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                          Vendor References

                                                                            HP Inc.

                                                                            Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                            Status

                                                                              Unknown

                                                                            Vendor Statement

                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                            Vendor References

                                                                              HTC

                                                                              Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                              Status

                                                                                Unknown

                                                                              Vendor Statement

                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                              Vendor References

                                                                                HardenedBSD

                                                                                Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                Status

                                                                                  Unknown

                                                                                Vendor Statement

                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                Vendor References

                                                                                  Hitachi

                                                                                  Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                  Status

                                                                                    Unknown

                                                                                  Vendor Statement

                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                  Vendor References

                                                                                    Honeywell

                                                                                    Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                    Status

                                                                                      Unknown

                                                                                    Vendor Statement

                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                    Vendor References

                                                                                      Huawei Technologies

                                                                                      Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                      Status

                                                                                        Unknown

                                                                                      Vendor Statement

                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                      Vendor References

                                                                                        IBM Corporation (zseries)

                                                                                        Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                        Status

                                                                                          Unknown

                                                                                        Vendor Statement

                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                        Vendor References

                                                                                          IBM eServer

                                                                                          Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                          Status

                                                                                            Unknown

                                                                                          Vendor Statement

                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                          Vendor References

                                                                                            IBM, INC.

                                                                                            Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                            Status

                                                                                              Unknown

                                                                                            Vendor Statement

                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                            Vendor References

                                                                                              InfoExpress, Inc.

                                                                                              Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                              Status

                                                                                                Unknown

                                                                                              Vendor Statement

                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                              Vendor References

                                                                                                Infoblox

                                                                                                Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                Status

                                                                                                  Unknown

                                                                                                Vendor Statement

                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                Vendor References

                                                                                                  Internet Systems Consortium

                                                                                                  Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                  Status

                                                                                                    Unknown

                                                                                                  Vendor Statement

                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                  Vendor References

                                                                                                    Internet Systems Consortium - DHCP

                                                                                                    Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                    Status

                                                                                                      Unknown

                                                                                                    Vendor Statement

                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                    Vendor References

                                                                                                      Interniche Technologies, inc.

                                                                                                      Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                      Status

                                                                                                        Unknown

                                                                                                      Vendor Statement

                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                      Vendor References

                                                                                                        Juniper Networks

                                                                                                        Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                        Status

                                                                                                          Unknown

                                                                                                        Vendor Statement

                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                        Vendor References

                                                                                                          Lancope

                                                                                                          Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                          Status

                                                                                                            Unknown

                                                                                                          Vendor Statement

                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                          Vendor References

                                                                                                            Lantronix

                                                                                                            Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                            Status

                                                                                                              Unknown

                                                                                                            Vendor Statement

                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                            Vendor References

                                                                                                              Lenovo

                                                                                                              Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                              Status

                                                                                                                Unknown

                                                                                                              Vendor Statement

                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                              Vendor References

                                                                                                                Linksys

                                                                                                                Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                Status

                                                                                                                  Unknown

                                                                                                                Vendor Statement

                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                Vendor References

                                                                                                                  Marvell Semiconductors

                                                                                                                  Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                  Status

                                                                                                                    Unknown

                                                                                                                  Vendor Statement

                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                  Vendor References

                                                                                                                    McAfee

                                                                                                                    Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                    Status

                                                                                                                      Unknown

                                                                                                                    Vendor Statement

                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                    Vendor References

                                                                                                                      MediaTek

                                                                                                                      Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                      Status

                                                                                                                        Unknown

                                                                                                                      Vendor Statement

                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                      Vendor References

                                                                                                                        MetaSwitch

                                                                                                                        Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                        Status

                                                                                                                          Unknown

                                                                                                                        Vendor Statement

                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                        Vendor References

                                                                                                                          Micro Focus

                                                                                                                          Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                          Status

                                                                                                                            Unknown

                                                                                                                          Vendor Statement

                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                          Vendor References

                                                                                                                            Microchip Technology

                                                                                                                            Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                            Status

                                                                                                                              Unknown

                                                                                                                            Vendor Statement

                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                            Vendor References

                                                                                                                              MikroTik

                                                                                                                              Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                              Status

                                                                                                                                Unknown

                                                                                                                              Vendor Statement

                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                              Vendor References

                                                                                                                                Miredo

                                                                                                                                Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                Status

                                                                                                                                  Unknown

                                                                                                                                Vendor Statement

                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                Vendor References

                                                                                                                                  Mitel Networks, Inc.

                                                                                                                                  Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                  Status

                                                                                                                                    Unknown

                                                                                                                                  Vendor Statement

                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                  Vendor References

                                                                                                                                    NETSCOUT

                                                                                                                                    Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                    Status

                                                                                                                                      Unknown

                                                                                                                                    Vendor Statement

                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                    Vendor References

                                                                                                                                      Netgear, Inc.

                                                                                                                                      Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                      Status

                                                                                                                                        Unknown

                                                                                                                                      Vendor Statement

                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                      Vendor References

                                                                                                                                        Nominum

                                                                                                                                        Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                        Status

                                                                                                                                          Unknown

                                                                                                                                        Vendor Statement

                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                        Vendor References

                                                                                                                                          Oracle Corporation

                                                                                                                                          Notified:  May 01, 2018 Updated:  May 07, 2018

                                                                                                                                          Status

                                                                                                                                            Unknown

                                                                                                                                          Vendor Statement

                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                          Vendor Information

                                                                                                                                          Oracle Solaris is not affected by CVE-2018-8897.

                                                                                                                                          Peplink

                                                                                                                                          Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                          Status

                                                                                                                                            Unknown

                                                                                                                                          Vendor Statement

                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                          Vendor References

                                                                                                                                            Philips Electronics

                                                                                                                                            Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                            Status

                                                                                                                                              Unknown

                                                                                                                                            Vendor Statement

                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                            Vendor References

                                                                                                                                              PowerDNS

                                                                                                                                              Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                              Status

                                                                                                                                                Unknown

                                                                                                                                              Vendor Statement

                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                              Vendor References

                                                                                                                                                QLogic

                                                                                                                                                Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                Status

                                                                                                                                                  Unknown

                                                                                                                                                Vendor Statement

                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                Vendor References

                                                                                                                                                  QNX Software Systems Inc.

                                                                                                                                                  Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                  Status

                                                                                                                                                    Unknown

                                                                                                                                                  Vendor Statement

                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                  Vendor References

                                                                                                                                                    Quagga

                                                                                                                                                    Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                    Status

                                                                                                                                                      Unknown

                                                                                                                                                    Vendor Statement

                                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                    Vendor References

                                                                                                                                                      Quantenna Communications

                                                                                                                                                      Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                      Status

                                                                                                                                                        Unknown

                                                                                                                                                      Vendor Statement

                                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                      Vendor References

                                                                                                                                                        Roku

                                                                                                                                                        Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                        Status

                                                                                                                                                          Unknown

                                                                                                                                                        Vendor Statement

                                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                        Vendor References

                                                                                                                                                          Ruckus Wireless

                                                                                                                                                          Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                          Status

                                                                                                                                                            Unknown

                                                                                                                                                          Vendor Statement

                                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                          Vendor References

                                                                                                                                                            SafeNet

                                                                                                                                                            Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                            Status

                                                                                                                                                              Unknown

                                                                                                                                                            Vendor Statement

                                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                            Vendor References

                                                                                                                                                              Samsung Mobile

                                                                                                                                                              Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                              Status

                                                                                                                                                                Unknown

                                                                                                                                                              Vendor Statement

                                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                              Vendor References

                                                                                                                                                                Secure64 Software Corporation

                                                                                                                                                                Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                Status

                                                                                                                                                                  Unknown

                                                                                                                                                                Vendor Statement

                                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                Vendor References

                                                                                                                                                                  Sierra Wireless

                                                                                                                                                                  Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                  Status

                                                                                                                                                                    Unknown

                                                                                                                                                                  Vendor Statement

                                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                  Vendor References

                                                                                                                                                                    Slackware Linux Inc.

                                                                                                                                                                    Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                    Status

                                                                                                                                                                      Unknown

                                                                                                                                                                    Vendor Statement

                                                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                    Vendor References

                                                                                                                                                                      Snort

                                                                                                                                                                      Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                      Status

                                                                                                                                                                        Unknown

                                                                                                                                                                      Vendor Statement

                                                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                      Vendor References

                                                                                                                                                                        Sonos

                                                                                                                                                                        Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                        Status

                                                                                                                                                                          Unknown

                                                                                                                                                                        Vendor Statement

                                                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                        Vendor References

                                                                                                                                                                          Sony Corporation

                                                                                                                                                                          Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                          Status

                                                                                                                                                                            Unknown

                                                                                                                                                                          Vendor Statement

                                                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                          Vendor References

                                                                                                                                                                            Sourcefire

                                                                                                                                                                            Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                            Status

                                                                                                                                                                              Unknown

                                                                                                                                                                            Vendor Statement

                                                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                            Vendor References

                                                                                                                                                                              Symantec

                                                                                                                                                                              Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                              Status

                                                                                                                                                                                Unknown

                                                                                                                                                                              Vendor Statement

                                                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                              Vendor References

                                                                                                                                                                                TP-LINK

                                                                                                                                                                                Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                                Status

                                                                                                                                                                                  Unknown

                                                                                                                                                                                Vendor Statement

                                                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                Vendor References

                                                                                                                                                                                  Technicolor

                                                                                                                                                                                  Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                                  Status

                                                                                                                                                                                    Unknown

                                                                                                                                                                                  Vendor Statement

                                                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                  Vendor References

                                                                                                                                                                                    TippingPoint Technologies Inc.

                                                                                                                                                                                    Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                                    Status

                                                                                                                                                                                      Unknown

                                                                                                                                                                                    Vendor Statement

                                                                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                    Vendor References

                                                                                                                                                                                      Toshiba Commerce Solutions

                                                                                                                                                                                      Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                                      Status

                                                                                                                                                                                        Unknown

                                                                                                                                                                                      Vendor Statement

                                                                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                      Vendor References

                                                                                                                                                                                        TrueOS

                                                                                                                                                                                        Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                                        Status

                                                                                                                                                                                          Unknown

                                                                                                                                                                                        Vendor Statement

                                                                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                        Vendor References

                                                                                                                                                                                          Turbolinux

                                                                                                                                                                                          Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                                          Status

                                                                                                                                                                                            Unknown

                                                                                                                                                                                          Vendor Statement

                                                                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                          Vendor References

                                                                                                                                                                                            Ubiquiti Networks

                                                                                                                                                                                            Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                                            Status

                                                                                                                                                                                              Unknown

                                                                                                                                                                                            Vendor Statement

                                                                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                            Vendor References

                                                                                                                                                                                              Unisys

                                                                                                                                                                                              Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                                              Status

                                                                                                                                                                                                Unknown

                                                                                                                                                                                              Vendor Statement

                                                                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                              Vendor References

                                                                                                                                                                                                Wind River

                                                                                                                                                                                                Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                                                Status

                                                                                                                                                                                                  Unknown

                                                                                                                                                                                                Vendor Statement

                                                                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                Vendor References

                                                                                                                                                                                                  Zebra Technologies

                                                                                                                                                                                                  Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                                                  Status

                                                                                                                                                                                                    Unknown

                                                                                                                                                                                                  Vendor Statement

                                                                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                  Vendor References

                                                                                                                                                                                                    ZyXEL

                                                                                                                                                                                                    Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                                                    Status

                                                                                                                                                                                                      Unknown

                                                                                                                                                                                                    Vendor Statement

                                                                                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                    Vendor References

                                                                                                                                                                                                      aep NETWORKS

                                                                                                                                                                                                      Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                                                      Status

                                                                                                                                                                                                        Unknown

                                                                                                                                                                                                      Vendor Statement

                                                                                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                      Vendor References

                                                                                                                                                                                                        dnsmasq

                                                                                                                                                                                                        Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                                                        Status

                                                                                                                                                                                                          Unknown

                                                                                                                                                                                                        Vendor Statement

                                                                                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                        Vendor References

                                                                                                                                                                                                          eCosCentric

                                                                                                                                                                                                          Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                                                          Status

                                                                                                                                                                                                            Unknown

                                                                                                                                                                                                          Vendor Statement

                                                                                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                          Vendor References

                                                                                                                                                                                                            m0n0wall

                                                                                                                                                                                                            Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                                                            Status

                                                                                                                                                                                                              Unknown

                                                                                                                                                                                                            Vendor Statement

                                                                                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                            Vendor References

                                                                                                                                                                                                              netsnmp

                                                                                                                                                                                                              Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                                                              Status

                                                                                                                                                                                                                Unknown

                                                                                                                                                                                                              Vendor Statement

                                                                                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                              Vendor References

                                                                                                                                                                                                                pfSENSE

                                                                                                                                                                                                                Notified:  May 01, 2018 Updated:  April 30, 2018

                                                                                                                                                                                                                Status

                                                                                                                                                                                                                  Unknown

                                                                                                                                                                                                                Vendor Statement

                                                                                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                                Vendor References

                                                                                                                                                                                                                  View all 124 vendors View less vendors


                                                                                                                                                                                                                  CVSS Metrics

                                                                                                                                                                                                                  Group Score Vector
                                                                                                                                                                                                                  Base 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
                                                                                                                                                                                                                  Temporal 5.3 E:POC/RL:OF/RC:C
                                                                                                                                                                                                                  Environmental 5.3 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

                                                                                                                                                                                                                  References

                                                                                                                                                                                                                  Acknowledgements

                                                                                                                                                                                                                  Microsoft and Intel credit Nick Peterson of Everdox Tech, LLC for responsibly reporting this vulnerability and working with the group on coordinated disclosure. Andy Lutomirski is also credited for assistance in documenting the vulnerability for Linux.

                                                                                                                                                                                                                  This document was written by Garret Wassermann.

                                                                                                                                                                                                                  Other Information

                                                                                                                                                                                                                  CVE IDs: CVE-2018-8897
                                                                                                                                                                                                                  Date Public: 2018-05-08
                                                                                                                                                                                                                  Date First Published: 2018-05-08
                                                                                                                                                                                                                  Date Last Updated: 2018-06-06 18:17 UTC
                                                                                                                                                                                                                  Document Revision: 105

                                                                                                                                                                                                                  Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.