CVE-2018-8897

HIGH

Description

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.

References

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9

http://openwall.com/lists/oss-security/2018/05/08/1

http://openwall.com/lists/oss-security/2018/05/08/4

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190921-01-debug-en

http://www.securityfocus.com/bid/104071

http://www.securitytracker.com/id/1040744

http://www.securitytracker.com/id/1040849

http://www.securitytracker.com/id/1040861

http://www.securitytracker.com/id/1040866

http://www.securitytracker.com/id/1040882

https://access.redhat.com/errata/RHSA-2018:1318

https://access.redhat.com/errata/RHSA-2018:1319

https://access.redhat.com/errata/RHSA-2018:1345

https://access.redhat.com/errata/RHSA-2018:1346

https://access.redhat.com/errata/RHSA-2018:1347

https://access.redhat.com/errata/RHSA-2018:1348

https://access.redhat.com/errata/RHSA-2018:1349

https://access.redhat.com/errata/RHSA-2018:1350

https://access.redhat.com/errata/RHSA-2018:1351

https://access.redhat.com/errata/RHSA-2018:1352

https://access.redhat.com/errata/RHSA-2018:1353

https://access.redhat.com/errata/RHSA-2018:1354

https://access.redhat.com/errata/RHSA-2018:1355

https://access.redhat.com/errata/RHSA-2018:1524

https://bugzilla.redhat.com/show_bug.cgi?id=1567074

https://github.com/can1357/CVE-2018-8897/

https://github.com/torvalds/linux/commit/d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9

https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0

https://lists.debian.org/debian-lts-announce/2018/05/msg00015.html

https://lists.debian.org/debian-lts-announce/2018/06/msg00000.html

https://lists.debian.org/debian-lts-announce/2018/11/msg00013.html

https://patchwork.kernel.org/patch/10386677/

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8897

https://security.netapp.com/advisory/ntap-20180927-0002/

https://support.apple.com/HT208742

https://support.citrix.com/article/CTX234679

https://svnweb.freebsd.org/base?view=revision&revision=333368

https://usn.ubuntu.com/3641-1/

https://usn.ubuntu.com/3641-2/

https://www.debian.org/security/2018/dsa-4196

https://www.debian.org/security/2018/dsa-4201

https://www.exploit-db.com/exploits/44697/

https://www.exploit-db.com/exploits/45024/

https://www.freebsd.org/security/advisories/FreeBSD-SA-18:06.debugreg.asc

https://www.kb.cert.org/vuls/id/631579

https://www.synology.com/support/security/Synology_SA_18_21

https://www.triplefault.io/2018/05/spurious-db-exceptions-with-pop-ss.html

https://xenbits.xen.org/xsa/advisory-260.html

Details

Source: MITRE

Published: 2018-05-08

Updated: 2019-10-03

Type: CWE-362

Risk Information

CVSS v2.0

Base Score: 7.2

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 3.9

Severity: HIGH

CVSS v3.0

Base Score: 7.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 1.8

Severity: HIGH

Tenable Plugins

View all (126 total)

IDNameProductFamilySeverity
140019OracleVM 3.4 : xen (OVMSA-2020-0039) (Bunker Buster) (Foreshadow) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) (Meltdown) (POODLE) (Spectre)NessusOracleVM Local Security Checks
critical
132252RancherOS < 1.4.0 Information DisclosureNessusMisc.
high
127192NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel-rt Multiple Vulnerabilities (NS-SA-2019-0028)NessusNewStart CGSL Local Security Checks
high
127185NewStart CGSL CORE 5.04 / MAIN 5.04 : kernel Multiple Vulnerabilities (NS-SA-2019-0025)NessusNewStart CGSL Local Security Checks
high
700516macOS 10.13.x < 10.13.5 Multiple VulnerabilitiesNessus Network MonitorOperating System Detection
critical
121933Photon OS 2.0: Linux PHSA-2018-2.0-0037-(a)NessusPhotonOS Local Security Checks
high
121836Photon OS 1.0: Linux PHSA-2018-1.0-0132-(a)NessusPhotonOS Local Security Checks
high
120686Fedora 28 : xen (2018-a7ac26523d)NessusFedora Local Security Checks
high
119886pfSense 2.3.x < 2.3.5-p2 / 2.4.x < 2.4.3-p1 Multiple Vulnerabilities (SA-18_04 / SA-18_05)NessusFirewalls
high
118963OracleVM 3.2 : xen (OVMSA-2018-0272) (Foreshadow) (Spectre)NessusOracleVM Local Security Checks
high
118962OracleVM 3.3 : xen (OVMSA-2018-0271) (Foreshadow) (Spectre)NessusOracleVM Local Security Checks
high
118892Debian DLA-1577-1 : xen security updateNessusDebian Local Security Checks
high
118635F5 Networks BIG-IP : Linux kernel vulnerability (K17403481)NessusF5 Networks Local Security Checks
high
118304SUSE SLES12 Security Update : xen (SUSE-SU-2018:3230-1) (Meltdown)NessusSuSE Local Security Checks
high
118252SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1173-2)NessusSuSE Local Security Checks
high
117579EulerOS Virtualization 2.5.0 : kernel (EulerOS-SA-2018-1270)NessusHuawei Local Security Checks
high
117572EulerOS Virtualization 2.5.1 : kernel (EulerOS-SA-2018-1263)NessusHuawei Local Security Checks
high
111992OracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre)NessusOracleVM Local Security Checks
critical
111933Photon OS 1.0: Linux PHSA-2018-1.0-0132-(a) (deprecated)NessusPhotonOS Local Security Checks
high
111296Photon OS 2.0 : linux-aws / linux-esx / linux-secure / linux (PhotonOS-PHSA-2018-2.0-0037-(a)) (deprecated)NessusPhotonOS Local Security Checks
high
111002Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20180710) (Spectre)NessusScientific Linux Local Security Checks
high
110379SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1549-1)NessusSuSE Local Security Checks
high
110378SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1548-1)NessusSuSE Local Security Checks
high
110377SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1546-1)NessusSuSE Local Security Checks
high
110376SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1545-1)NessusSuSE Local Security Checks
high
110375SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1543-1)NessusSuSE Local Security Checks
high
110374SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1541-1)NessusSuSE Local Security Checks
high
110373SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1540-1)NessusSuSE Local Security Checks
high
110372SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1539-1)NessusSuSE Local Security Checks
high
110371SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1538-1)NessusSuSE Local Security Checks
high
110370SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1537-1)NessusSuSE Local Security Checks
high
110369SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1536-1)NessusSuSE Local Security Checks
high
110368SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1535-1)NessusSuSE Local Security Checks
high
110367SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1534-1)NessusSuSE Local Security Checks
high
110366SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1533-1)NessusSuSE Local Security Checks
high
110365SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1532-1)NessusSuSE Local Security Checks
high
110364SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1531-1)NessusSuSE Local Security Checks
high
110363SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1530-1)NessusSuSE Local Security Checks
high
110362SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1529-1)NessusSuSE Local Security Checks
high
110361SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1528-1)NessusSuSE Local Security Checks
high
110360SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1526-1)NessusSuSE Local Security Checks
high
110358SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1524-1)NessusSuSE Local Security Checks
high
110357SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1523-1)NessusSuSE Local Security Checks
high
110356SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1522-1)NessusSuSE Local Security Checks
high
110355SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1521-1)NessusSuSE Local Security Checks
high
110354SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1520-1)NessusSuSE Local Security Checks
high
110353SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1519-1)NessusSuSE Local Security Checks
high
110352SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1518-1)NessusSuSE Local Security Checks
high
110351SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1517-1)NessusSuSE Local Security Checks
high
110350SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1516-1)NessusSuSE Local Security Checks
high
110349SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1514-1)NessusSuSE Local Security Checks
high
110348SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1513-1)NessusSuSE Local Security Checks
high
110347SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1512-1)NessusSuSE Local Security Checks
high
110346SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1511-1)NessusSuSE Local Security Checks
high
110345SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1510-1)NessusSuSE Local Security Checks
high
110344SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1509-1)NessusSuSE Local Security Checks
high
110341SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1506-1)NessusSuSE Local Security Checks
high
110340SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1505-1)NessusSuSE Local Security Checks
high
110323macOS and Mac OS X Multiple Vulnerabilities (Security Update 2018-003)NessusMacOS X Local Security Checks
high
110314Debian DLA-1392-1 : linux security updateNessusDebian Local Security Checks
high
110245CentOS 7 : kernel (CESA-2018:1318)NessusCentOS Local Security Checks
high
110234Virtuozzo 7 : anaconda / anaconda-core / anaconda-dracut / etc (VZA-2018-037)NessusVirtuozzo Local Security Checks
high
110197Amazon Linux AMI : kernel (ALAS-2018-1023)NessusAmazon Linux Local Security Checks
high
110196Amazon Linux 2 : kernel (ALAS-2018-1023)NessusAmazon Linux Local Security Checks
high
110169Fedora 26 : xen (2018-7cd077ddd3)NessusFedora Local Security Checks
high
110159Debian DLA-1383-1 : xen security updateNessusDebian Local Security Checks
high
110113RHEL 6 / 7 : Virtualization (RHSA-2018:1711) (Spectre)NessusRed Hat Local Security Checks
high
110112RHEL 7 : Virtualization (RHSA-2018:1710) (Spectre)NessusRed Hat Local Security Checks
high
109989OracleVM 3.4 : xen (OVMSA-2018-0221)NessusOracleVM Local Security Checks
high
109987OracleVM 3.4 : xen (OVMSA-2018-0218) (Meltdown) (Spectre)NessusOracleVM Local Security Checks
high
109909RHEL 7 : Virtualization (RHSA-2018:1524)NessusRed Hat Local Security Checks
high
109881Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2018-4110) (Meltdown) (Spectre)NessusOracle Linux Local Security Checks
high
109875Fedora 27 : xen (2018-98684f429b)NessusFedora Local Security Checks
high
109829Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4109) (Meltdown) (Spectre)NessusOracle Linux Local Security Checks
high
109816Debian DSA-4201-1 : xen - security updateNessusDebian Local Security Checks
high
109813EulerOS 2.0 SP3 : kernel (EulerOS-SA-2018-1121)NessusHuawei Local Security Checks
high
109801Virtuozzo 6 : parallels-server-bm-release / vzkernel / etc (VZA-2018-029)NessusVirtuozzo Local Security Checks
high
109758SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1221-1)NessusSuSE Local Security Checks
high
109757SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1220-1)NessusSuSE Local Security Checks
high
109756SUSE SLES12 Security Update : xen (SUSE-SU-2018:1216-1) (Meltdown)NessusSuSE Local Security Checks
high
109754RHEL 6 : MRG (RHSA-2018:1354)NessusRed Hat Local Security Checks
high
109751openSUSE Security Update : xen (openSUSE-2018-454) (Meltdown)NessusSuSE Local Security Checks
high
109727Xen Intel Architecture Debug Exception Handling Local Privilege Escalation (XSA-260)NessusMisc.
high
109725Citrix XenServer Multiple Vulnerabilities (CTX234679)NessusMisc.
high
109722SUSE SLES11 Security Update : xen (SUSE-SU-2018:1203-1) (Meltdown)NessusSuSE Local Security Checks
high
109721SUSE SLES12 Security Update : xen (SUSE-SU-2018:1202-1) (Meltdown)NessusSuSE Local Security Checks
high
109677SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2018:1184-1) (Meltdown)NessusSuSE Local Security Checks
high
109676SUSE SLES11 Security Update : xen (SUSE-SU-2018:1181-1) (Meltdown)NessusSuSE Local Security Checks
high
109672SUSE SLES12 Security Update : xen (SUSE-SU-2018:1177-1) (Meltdown)NessusSuSE Local Security Checks
high
109668OracleVM 3.3 : Unbreakable / etc (OVMSA-2018-0041) (Spectre)NessusOracleVM Local Security Checks
high
109667OracleVM 3.4 : Unbreakable / etc (OVMSA-2018-0040)NessusOracleVM Local Security Checks
high
109665Oracle Linux 7 : kernel (ELSA-2018-1318)NessusOracle Linux Local Security Checks
high
109658Debian DSA-4196-1 : linux - security updateNessusDebian Local Security Checks
high
109655CentOS 6 : kernel (CESA-2018:1319) (Meltdown)NessusCentOS Local Security Checks
critical
109651Security Updates for Windows Server 2008 (May 2018)NessusWindows : Microsoft Bulletins
high
109650Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : linux, linux-aws, linux-azure, linux-euclid, linux-gcp, linux-hwe, (USN-3641-1)NessusUbuntu Local Security Checks
high
109647SUSE SLES12 Security Update : kernel (SUSE-SU-2018:1173-1)NessusSuSE Local Security Checks
high
109646SUSE SLES11 Security Update : kernel (SUSE-SU-2018:1172-1)NessusSuSE Local Security Checks
high
109645SUSE SLES11 Security Update : kernel (SUSE-SU-2018:1171-1)NessusSuSE Local Security Checks
high
109644Scientific Linux Security Update : kernel on SL7.x x86_64 (20180508)NessusScientific Linux Local Security Checks
high
109643Scientific Linux Security Update : kernel on SL6.x i386/x86_64 (20180508) (Meltdown)NessusScientific Linux Local Security Checks
critical
109642RHEL 7 : kernel-rt (RHSA-2018:1355)NessusRed Hat Local Security Checks
high
109641RHEL 6 : kernel (RHSA-2018:1351)NessusRed Hat Local Security Checks
high
109640RHEL 6 : kernel (RHSA-2018:1350)NessusRed Hat Local Security Checks
high
109639RHEL 6 : kernel (RHSA-2018:1349)NessusRed Hat Local Security Checks
high
109638RHEL 7 : kernel (RHSA-2018:1348)NessusRed Hat Local Security Checks
high
109637RHEL 7 : kernel (RHSA-2018:1347)NessusRed Hat Local Security Checks
high
109636RHEL 6 : kernel (RHSA-2018:1346) (Meltdown)NessusRed Hat Local Security Checks
high
109635RHEL 7 : kernel (RHSA-2018:1345)NessusRed Hat Local Security Checks
high
109634RHEL 6 : kernel (RHSA-2018:1319) (Meltdown)NessusRed Hat Local Security Checks
critical
109633RHEL 7 : kernel (RHSA-2018:1318)NessusRed Hat Local Security Checks
high
109632Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4098)NessusOracle Linux Local Security Checks
high
109631Oracle Linux 6 : Unbreakable Enterprise kernel (ELSA-2018-4097)NessusOracle Linux Local Security Checks
high
109630Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2018-4096)NessusOracle Linux Local Security Checks
high
109629Oracle Linux 6 : kernel (ELSA-2018-1319) (Meltdown)NessusOracle Linux Local Security Checks
critical
109625FreeBSD : FreeBSD -- Mishandling of x86 debug exceptions (521ce804-52fd-11e8-9123-a4badb2f4699)NessusFreeBSD Local Security Checks
high
109620EulerOS 2.0 SP2 : kernel (EulerOS-SA-2018-1120)NessusHuawei Local Security Checks
high
109619EulerOS 2.0 SP1 : kernel (EulerOS-SA-2018-1119)NessusHuawei Local Security Checks
high
109611KB4103731: Windows 10 Version 1703 May 2018 Security UpdateNessusWindows : Microsoft Bulletins
high
109610KB4103726: Windows Server 2012 May 2018 Security UpdateNessusWindows : Microsoft Bulletins
high
109608KB4103727: Windows 10 Version 1709 and Windows Server Version 1709 May 2018 Security UpdateNessusWindows : Microsoft Bulletins
high
109607KB4103715: Windows 8.1 and Windows Server 2012 R2 May 2018 Security UpdateNessusWindows : Microsoft Bulletins
high
109606KB4103723: Windows 10 Version 1607 and Windows Server 2016 May 2018 Security UpdateNessusWindows : Microsoft Bulletins
high
109605KB4103721: Windows 10 Version 1803 and Windows Server Version 1803 May 2018 Security UpdateNessusWindows : Microsoft Bulletins
high
109604KB4103712: Windows 7 and Windows Server 2008 R2 May 2018 Security UpdateNessusWindows : Microsoft Bulletins
high
109603KB4103716: Windows 10 May 2018 Security UpdateNessusWindows : Microsoft Bulletins
high