An elevation of privilege attack was discovered in the stack change mechanism in Intel and AMD. On exploitation an attacker can execute user level code in kernel context or cause DoS. The vulnerability resulted due to misinterpretation of the documents describing the stack change process. CVE-2018-8897 has been assigned to track this vulnerability. The researchers have published a paper on their findings. This is an OS independent vulnerability and has a large scope for exploitation, however an attacker needs local access to the target or needs some means to run a local crafted application, both cases may require the attacker to be logged in to the target.
Vulnerability
By design when switching stacks using either MOV SS or POP SS, The processor disables external interrupts, non-maskable interrupts and pending debug exceptions till the instruction following the SS load is completed. If SS load instruction is followed by a break point exception (#BP). The interrupt may execute with a user based GS.Base address.
When the interrupt flag (EFLAG.IF) is cleared by CLI or an interrupt the processor ignores maskable external interrupts. It is assumed that debug exceptions(#DB) and non-maskable interrupts are also ignored, this is wrong. Lets take the sample assemble instruction below.
mov ss,[rax] int 3
If rax points to an address on the stack and we set the debug registers to trigger when the stack address is accessed. Any code or data reference instruction will a trigger debug handler (#DB). So the #DB will be suppressed till the following int 3(Break point exception handler #BP) instruction is executed. The issue here is when int 3 handler completes executing it will clear the interrupt flag causing the #DB suppressed earlier to activate. The #DB will assume that the calling process privilege level is same as int 3 privilege level which is zero and executes it using the GS.Base set by the user-level (privilege 3) process.
Mitigation
Please apply the latest patches from vendors to address this vulnerability. Qualys customers can scan their network with the QIDs listed below to detect vulnerable machines. Qualys will continue to add detections as more vendors release their patches/additional patches for CVE-2018-8897.
| QID | Decription |
| 171123 | SUSE Enterprise Linux Security Update for xen (SUSE-SU-2018:1184-1) |
| 171122 | SUSE Enterprise Linux Security Update for xen (SUSE-SU-2018:1181-1) |
| 157711 | Oracle Enterprise Linux Security Update for kernel (ELSA-2018-1318) |
| 157710 | Oracle Enterprise Linux Security Update for kernel (ELSA-2018-1319) |
| 157709 | Oracle Enterprise Linux Security Update for Unbreakable Enterprise kernel (ELSA-2018-4097) |
| 157708 | Oracle Enterprise Linux Security Update for Unbreakable Enterprise kernel (ELSA-2018-4098) |
| 157707 | Oracle Enterprise Linux Security Update for Unbreakable Enterprise kernel (ELSA-2018-4096) |
| 171117 | SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2018:1171-1) |
| 236771 | Red Hat Update for kernel-rt (RHSA-2018:1355) |
| 236770 | Red Hat Update for kernel (RHSA-2018:1353) |
| 236769 | Red Hat Update for kernel (RHSA-2018:1351) |
| 236768 | Red Hat Update for kernel (RHSA-2018:1348) |
| 236767 | Red Hat Update for kernel (RHSA-2018:1347) |
| 236766 | Red Hat Update for kernel (RHSA-2018:1346) |
| 236765 | Red Hat Update for kernel (RHSA-2018:1345) |
| 236764 | Red Hat Update for kernel (RHSA-2018:1319) |
| 236763 | Red Hat Update for kernel (RHSA-2018:1318) |
| 197129 | Ubuntu Security Notification for Linux, Linux-aws, Linux-azure, Linux-euclid, Linux-gcp, Linux-hwe, (USN-3641-1) |
| 91447 | Microsoft Windows Security Update May 2018 |
| 370913 | Apple macOS High Sierra 10.13.4, Security Update 2018-001 Not Installed(HT208742) |
Please continue to follow Qualys Threat Protection for more coverage on this vulnerability.
References
CVE-2018-8897
Intel® 64 and IA-32 Architectures Software Developer’s Manual
POP SS/MOV SS Vulnerability