CVE-2018-8897
Last modified
CVE-2018-8897 is a vulnerability of currently unknown severity. A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. EPSS estimates a 18.40% chance of exploitation in the next 30 days.
Description
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Debian | Debian Linux | 7.0 |
| Debian | Debian Linux | 8.0 |
| Debian | Debian Linux | 9.0 |
| Canonical | Ubuntu Linux | 14.04 |
| Canonical | Ubuntu Linux | 16.04 |
| Canonical | Ubuntu Linux | 17.10 |
| Redhat | Enterprise Linux Server | 7.0 |
| Redhat | Enterprise Linux Workstation | 7.0 |
| Redhat | Enterprise Virtualization Manager | 3.0 |
| Citrix | Xenserver | 6.0.2 |
| Citrix | Xenserver | 6.2.0 |
| Citrix | Xenserver | 6.5 |
| Citrix | Xenserver | 7.0 |
| Citrix | Xenserver | 7.1 |
| Citrix | Xenserver | 7.2 |
| Citrix | Xenserver | 7.3 |
| Citrix | Xenserver | 7.4 |
| Synology | Skynas | All versions |
| Synology | Diskstation Manager | 5.2 |
| Synology | Diskstation Manager | 6.0 |
| Synology | Diskstation Manager | 6.1 |
| Apple | Mac Os X | < 10.13.4 |
| Xen | Xen | All versions |
| Freebsd | Freebsd | >= 11.0, < 11.1 |
References
- http://openwall.com/lists/oss-security/2018/05/08/1Mailing List, Third Party Advisory
- http://openwall.com/lists/oss-security/2018/05/08/4Mailing List, Third Party Advisory
- http://www.securityfocus.com/bid/104071Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1040744Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1040849Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1040861Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1040866Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1040882Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2018:1318Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1319Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1345Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1346Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1347Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1348Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1349Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1350Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1351Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1352Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1353Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1354Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1355Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1524Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1567074Issue Tracking, Third Party Advisory
- https://github.com/can1357/CVE-2018-8897/Exploit, Third Party Advisory
- https://github.com/torvalds/linux/commit/d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9Patch, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2018/05/msg00015.htmlThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2018/06/msg00000.htmlThird Party Advisory
- https://patchwork.kernel.org/patch/10386677/Patch, Third Party Advisory
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8897Patch, Third Party Advisory, Vendor Advisory
- https://support.apple.com/HT208742Third Party Advisory
- https://support.citrix.com/article/CTX234679Third Party Advisory
- https://svnweb.freebsd.org/base?view=revision&revision=333368Third Party Advisory
- https://usn.ubuntu.com/3641-1/Third Party Advisory
- https://usn.ubuntu.com/3641-2/Third Party Advisory
- https://www.debian.org/security/2018/dsa-4196Third Party Advisory
- https://www.debian.org/security/2018/dsa-4201Third Party Advisory
- https://www.exploit-db.com/exploits/44697/Exploit, Third Party Advisory, VDB Entry
- https://www.freebsd.org/security/advisories/FreeBSD-SA-18:06.debugreg.ascThird Party Advisory
- https://www.synology.com/support/security/Synology_SA_18_21Third Party Advisory
- https://www.triplefault.io/2018/05/spurious-db-exceptions-with-pop-ss.htmlThird Party Advisory
- https://xenbits.xen.org/xsa/advisory-260.htmlPatch, Third Party Advisory
- http://openwall.com/lists/oss-security/2018/05/08/1Mailing List, Third Party Advisory
- http://openwall.com/lists/oss-security/2018/05/08/4Mailing List, Third Party Advisory
- http://www.securityfocus.com/bid/104071Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1040744Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1040849Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1040861Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1040866Third Party Advisory, VDB Entry
- http://www.securitytracker.com/id/1040882Third Party Advisory, VDB Entry
- https://access.redhat.com/errata/RHSA-2018:1318Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1319Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1345Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1346Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1347Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1348Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1349Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1350Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1351Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1352Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1353Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1354Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1355Third Party Advisory
- https://access.redhat.com/errata/RHSA-2018:1524Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1567074Issue Tracking, Third Party Advisory
- https://github.com/can1357/CVE-2018-8897/Exploit, Third Party Advisory
- https://github.com/torvalds/linux/commit/d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9Patch, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2018/05/msg00015.htmlThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2018/06/msg00000.htmlThird Party Advisory
- https://patchwork.kernel.org/patch/10386677/Patch, Third Party Advisory
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8897Patch, Third Party Advisory, Vendor Advisory
- https://support.apple.com/HT208742Third Party Advisory
- https://support.citrix.com/article/CTX234679Third Party Advisory
- https://svnweb.freebsd.org/base?view=revision&revision=333368Third Party Advisory
- https://usn.ubuntu.com/3641-1/Third Party Advisory
- https://usn.ubuntu.com/3641-2/Third Party Advisory
- https://www.debian.org/security/2018/dsa-4196Third Party Advisory
- https://www.debian.org/security/2018/dsa-4201Third Party Advisory
- https://www.exploit-db.com/exploits/44697/Exploit, Third Party Advisory, VDB Entry
- https://www.freebsd.org/security/advisories/FreeBSD-SA-18:06.debugreg.ascThird Party Advisory
- https://www.synology.com/support/security/Synology_SA_18_21Third Party Advisory
- https://www.triplefault.io/2018/05/spurious-db-exceptions-with-pop-ss.htmlThird Party Advisory
- https://xenbits.xen.org/xsa/advisory-260.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-8897?
How severe is CVE-2018-8897?
How do I fix CVE-2018-8897?
Are you affected by CVE-2018-8897?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST