// For flags

CVE-2018-8897

Microsoft Windows - 'POP/MOV SS' Privilege Escalation

Severity Score

7.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

4
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.

Una declaración en la guía de programación de sistemas del Manual del desarrollador de software (SDM) de las arquitecturas Intel 64 e IA-32 se manejó incorrectamente en el desarrollo de algunos o todos los núcleos del sistema operativo, lo que provocó un comportamiento inesperado para las excepciones #DB que son diferidas por MOV SS o POP SS, tal y como queda demostrado con (por ejemplo) el escalado de privilegios en Windows, macOS, algunas configuraciones Xen o FreeBSD, o un fallo del kernel de Linux. Las instrucciones de MOV a SS y POP SS inhiben interrupciones (incluyendo NMI), puntos de interrupción de datos y excepciones de trampas de un paso hasta los límites de la instrucción que siguen a la siguiente instrucción (SDM Vol. 3A; sección 6.8.3). (Los puntos de interrupción de datos inhibidos son aquellos en la memoria a los que accede a la propia instrucción MOV a SS o POP a SS). Tenga en cuenta que las excepciones de depuración no están inhibidas por el indicador del sistema de habilitación de interrupciones (EFLAGS.IF) (SDM Vol. 3A; sección 2.3). Si la instrucción que sigue a la instrucción MOV a SS o POP a SS es una instrucción como SYSCALL, SYSENTER, INT 3, etc. que transfiere el control al sistema operativo a CPL < 3, la excepción de depuración se entrega después de que la transferencia a CPL < 3 se haya completado. Es posible que los kernels del sistema operativo no esperen este orden de eventos y, por lo tanto, puedan experimentar un comportamiento inesperado cuando ocurra.

A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged system user could use this flaw to crash the system kernel resulting in the denial of service.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-03-21 CVE Reserved
  • 2018-05-08 CVE Published
  • 2018-05-10 First Exploit
  • 2023-07-08 EPSS Updated
  • 2024-08-05 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-250: Execution with Unnecessary Privileges
  • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CAPEC
References (52)
URL Tag Source
http://openwall.com/lists/oss-security/2018/05/08/1 Mailing List
http://openwall.com/lists/oss-security/2018/05/08/4 Mailing List
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190921-01-debug-en X_refsource_confirm
http://www.securityfocus.com/bid/104071 Third Party Advisory
http://www.securitytracker.com/id/1040744 Third Party Advisory
http://www.securitytracker.com/id/1040849 Third Party Advisory
http://www.securitytracker.com/id/1040861 Third Party Advisory
http://www.securitytracker.com/id/1040866 Third Party Advisory
http://www.securitytracker.com/id/1040882 Third Party Advisory
https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0 X_refsource_confirm
https://lists.debian.org/debian-lts-announce/2018/05/msg00015.html Mailing List
https://lists.debian.org/debian-lts-announce/2018/06/msg00000.html Mailing List
https://lists.debian.org/debian-lts-announce/2018/11/msg00013.html Mailing List
https://security.netapp.com/advisory/ntap-20180927-0002 X_refsource_confirm
https://support.apple.com/HT208742 Third Party Advisory
https://support.citrix.com/article/CTX234679 Third Party Advisory
https://svnweb.freebsd.org/base?view=revision&revision=333368 Third Party Advisory
https://www.freebsd.org/security/advisories/FreeBSD-SA-18:06.debugreg.asc Third Party Advisory
https://www.kb.cert.org/vuls/id/631579 Third Party Advisory
https://www.synology.com/support/security/Synology_SA_18_21 Third Party Advisory
https://www.triplefault.io/2018/05/spurious-db-exceptions-with-pop-ss.html Third Party Advisory
https://blog.can.ac/2018/05/11/arbitrary-code-execution-at-ring-0-using-cve-2018-8897
URL Date SRC
https://www.exploit-db.com/exploits/44697 2024-08-05
https://www.exploit-db.com/exploits/45024 2024-08-05
https://github.com/can1357/CVE-2018-8897 2024-08-05
https://github.com/nmulasmajic/CVE-2018-8897 2018-05-10
URL Date SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9 2019-10-03
https://github.com/torvalds/linux/commit/d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9 2019-10-03
https://patchwork.kernel.org/patch/10386677 2019-10-03
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8897 2019-10-03
https://xenbits.xen.org/xsa/advisory-260.html 2019-10-03
URL Date SRC
https://access.redhat.com/errata/RHSA-2018:1318 2019-10-03
https://access.redhat.com/errata/RHSA-2018:1319 2019-10-03
https://access.redhat.com/errata/RHSA-2018:1345 2019-10-03
https://access.redhat.com/errata/RHSA-2018:1346 2019-10-03
https://access.redhat.com/errata/RHSA-2018:1347 2019-10-03
https://access.redhat.com/errata/RHSA-2018:1348 2019-10-03
https://access.redhat.com/errata/RHSA-2018:1349 2019-10-03
https://access.redhat.com/errata/RHSA-2018:1350 2019-10-03
https://access.redhat.com/errata/RHSA-2018:1351 2019-10-03
https://access.redhat.com/errata/RHSA-2018:1352 2019-10-03
https://access.redhat.com/errata/RHSA-2018:1353 2019-10-03
https://access.redhat.com/errata/RHSA-2018:1354 2019-10-03
https://access.redhat.com/errata/RHSA-2018:1355 2019-10-03
https://access.redhat.com/errata/RHSA-2018:1524 2019-10-03
https://bugzilla.redhat.com/show_bug.cgi?id=1567074 2018-05-23
https://usn.ubuntu.com/3641-1 2019-10-03
https://usn.ubuntu.com/3641-2 2019-10-03
https://www.debian.org/security/2018/dsa-4196 2019-10-03
https://www.debian.org/security/2018/dsa-4201 2019-10-03
https://access.redhat.com/security/cve/CVE-2018-8897 2018-05-23
https://access.redhat.com/security/vulnerabilities/pop_ss 2018-05-23
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 7.0
Search vendor "Debian" for product "Debian Linux" and version "7.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 8.0
Search vendor "Debian" for product "Debian Linux" and version "8.0"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 9.0
Search vendor "Debian" for product "Debian Linux" and version "9.0"
-
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 14.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"
lts
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 16.04
Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"
lts
Affected
Canonical
Search vendor "Canonical"
 Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
 17.10
Search vendor "Canonical" for product "Ubuntu Linux" and version "17.10"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Server
Search vendor "Redhat" for product "Enterprise Linux Server"
 7.0
Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Linux Workstation
Search vendor "Redhat" for product "Enterprise Linux Workstation"
 7.0
Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0"
-
Affected
Redhat
Search vendor "Redhat"
 Enterprise Virtualization Manager
Search vendor "Redhat" for product "Enterprise Virtualization Manager"
 3.0
Search vendor "Redhat" for product "Enterprise Virtualization Manager" and version "3.0"
-
Affected
Citrix
Search vendor "Citrix"
 Xenserver
Search vendor "Citrix" for product "Xenserver"
 6.0.2
Search vendor "Citrix" for product "Xenserver" and version "6.0.2"
-
Affected
Citrix
Search vendor "Citrix"
 Xenserver
Search vendor "Citrix" for product "Xenserver"
 6.2.0
Search vendor "Citrix" for product "Xenserver" and version "6.2.0"
-
Affected
Citrix
Search vendor "Citrix"
 Xenserver
Search vendor "Citrix" for product "Xenserver"
 6.5
Search vendor "Citrix" for product "Xenserver" and version "6.5"
-
Affected
Citrix
Search vendor "Citrix"
 Xenserver
Search vendor "Citrix" for product "Xenserver"
 7.0
Search vendor "Citrix" for product "Xenserver" and version "7.0"
-
Affected
Citrix
Search vendor "Citrix"
 Xenserver
Search vendor "Citrix" for product "Xenserver"
 7.1
Search vendor "Citrix" for product "Xenserver" and version "7.1"
-
Affected
Citrix
Search vendor "Citrix"
 Xenserver
Search vendor "Citrix" for product "Xenserver"
 7.2
Search vendor "Citrix" for product "Xenserver" and version "7.2"
-
Affected
Citrix
Search vendor "Citrix"
 Xenserver
Search vendor "Citrix" for product "Xenserver"
 7.3
Search vendor "Citrix" for product "Xenserver" and version "7.3"
-
Affected
Citrix
Search vendor "Citrix"
 Xenserver
Search vendor "Citrix" for product "Xenserver"
 7.4
Search vendor "Citrix" for product "Xenserver" and version "7.4"
-
Affected
Synology
Search vendor "Synology"
 Skynas
Search vendor "Synology" for product "Skynas"
--
Affected
Synology
Search vendor "Synology"
 Diskstation Manager
Search vendor "Synology" for product "Diskstation Manager"
 5.2
Search vendor "Synology" for product "Diskstation Manager" and version "5.2"
-
Affected
Synology
Search vendor "Synology"
 Diskstation Manager
Search vendor "Synology" for product "Diskstation Manager"
 6.0
Search vendor "Synology" for product "Diskstation Manager" and version "6.0"
-
Affected
Synology
Search vendor "Synology"
 Diskstation Manager
Search vendor "Synology" for product "Diskstation Manager"
 6.1
Search vendor "Synology" for product "Diskstation Manager" and version "6.1"
-
Affected
Apple
Search vendor "Apple"
 Mac Os X
Search vendor "Apple" for product "Mac Os X"
 < 10.13.4
Search vendor "Apple" for product "Mac Os X" and version " < 10.13.4"
-
Affected
Xen
Search vendor "Xen"
 Xen
Search vendor "Xen" for product "Xen"
-x86
Affected
Freebsd
Search vendor "Freebsd"
 Freebsd
Search vendor "Freebsd" for product "Freebsd"
 >= 11.0 < 11.1
Search vendor "Freebsd" for product "Freebsd" and version " >= 11.0 < 11.1"
-
Affected