CVE-2018-8897

Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability

Severity Score

7.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.

Una declaración en la guía de programación de sistemas del Manual del desarrollador de software (SDM) de las arquitecturas Intel 64 e IA-32 se manejó incorrectamente en el desarrollo de algunos o todos los núcleos del sistema operativo, lo que provocó un comportamiento inesperado para las excepciones #DB que son diferidas por MOV SS o POP SS, tal y como queda demostrado con (por ejemplo) el escalado de privilegios en Windows, macOS, algunas configuraciones Xen o FreeBSD, o un fallo del kernel de Linux. Las instrucciones de MOV a SS y POP SS inhiben interrupciones (incluyendo NMI), puntos de interrupción de datos y excepciones de trampas de un paso hasta los límites de la instrucción que siguen a la siguiente instrucción (SDM Vol. 3A; sección 6.8.3). (Los puntos de interrupción de datos inhibidos son aquellos en la memoria a los que accede a la propia instrucción MOV a SS o POP a SS). Tenga en cuenta que las excepciones de depuración no están inhibidas por el indicador del sistema de habilitación de interrupciones (EFLAGS.IF) (SDM Vol. 3A; sección 2.3). Si la instrucción que sigue a la instrucción MOV a SS o POP a SS es una instrucción como SYSCALL, SYSENTER, INT 3, etc. que transfiere el control al sistema operativo a CPL < 3, la excepción de depuración se entrega después de que la transferencia a CPL < 3 se haya completado. Es posible que los kernels del sistema operativo no esperen este orden de eventos y, por lo tanto, puedan experimentar un comportamiento inesperado cuando ocurra.

A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged system user could use this flaw to crash the system kernel resulting in the denial of service.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-03-21 CVE Reserved
2018-05-08 CVE Published
2018-05-08 First Exploit
2023-07-08 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-250: Execution with Unnecessary Privileges
CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CAPEC

References (53)

URL	Tag	Source
http://openwall.com/lists/oss-security/2018/05/08/1	Mailing List
http://openwall.com/lists/oss-security/2018/05/08/4	Mailing List
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190921-01-debug-en	X_refsource_confirm
http://www.securityfocus.com/bid/104071	Third Party Advisory
http://www.securitytracker.com/id/1040744	Third Party Advisory
http://www.securitytracker.com/id/1040849	Third Party Advisory
http://www.securitytracker.com/id/1040861	Third Party Advisory
http://www.securitytracker.com/id/1040866	Third Party Advisory
http://www.securitytracker.com/id/1040882	Third Party Advisory
https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0	X_refsource_confirm
https://lists.debian.org/debian-lts-announce/2018/05/msg00015.html	Mailing List
https://lists.debian.org/debian-lts-announce/2018/06/msg00000.html	Mailing List
https://lists.debian.org/debian-lts-announce/2018/11/msg00013.html	Mailing List
https://security.netapp.com/advisory/ntap-20180927-0002	X_refsource_confirm
https://support.apple.com/HT208742	Third Party Advisory
https://support.citrix.com/article/CTX234679	Third Party Advisory
https://svnweb.freebsd.org/base?view=revision&revision=333368	Third Party Advisory
https://www.freebsd.org/security/advisories/FreeBSD-SA-18:06.debugreg.asc	Third Party Advisory
https://www.kb.cert.org/vuls/id/631579	Third Party Advisory
https://www.synology.com/support/security/Synology_SA_18_21	Third Party Advisory
https://www.triplefault.io/2018/05/spurious-db-exceptions-with-pop-ss.html	Third Party Advisory
https://blog.can.ac/2018/05/11/arbitrary-code-execution-at-ring-0-using-cve-2018-8897

URL	Date	SRC
https://www.exploit-db.com/exploits/44697	2024-08-05
https://www.exploit-db.com/exploits/45024	2024-08-05
https://github.com/can1357/CVE-2018-8897	2024-08-05
https://github.com/nmulasmajic/CVE-2018-8897	2018-05-10
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/local/mov_ss.rb	2018-05-08

URL	Date	SRC
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9	2019-10-03
https://github.com/torvalds/linux/commit/d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9	2019-10-03
https://patchwork.kernel.org/patch/10386677	2019-10-03
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8897	2019-10-03
https://xenbits.xen.org/xsa/advisory-260.html	2019-10-03

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2018:1318	2019-10-03
https://access.redhat.com/errata/RHSA-2018:1319	2019-10-03
https://access.redhat.com/errata/RHSA-2018:1345	2019-10-03
https://access.redhat.com/errata/RHSA-2018:1346	2019-10-03
https://access.redhat.com/errata/RHSA-2018:1347	2019-10-03
https://access.redhat.com/errata/RHSA-2018:1348	2019-10-03
https://access.redhat.com/errata/RHSA-2018:1349	2019-10-03
https://access.redhat.com/errata/RHSA-2018:1350	2019-10-03
https://access.redhat.com/errata/RHSA-2018:1351	2019-10-03
https://access.redhat.com/errata/RHSA-2018:1352	2019-10-03
https://access.redhat.com/errata/RHSA-2018:1353	2019-10-03
https://access.redhat.com/errata/RHSA-2018:1354	2019-10-03
https://access.redhat.com/errata/RHSA-2018:1355	2019-10-03
https://access.redhat.com/errata/RHSA-2018:1524	2019-10-03
https://bugzilla.redhat.com/show_bug.cgi?id=1567074	2018-05-23
https://usn.ubuntu.com/3641-1	2019-10-03
https://usn.ubuntu.com/3641-2	2019-10-03
https://www.debian.org/security/2018/dsa-4196	2019-10-03
https://www.debian.org/security/2018/dsa-4201	2019-10-03
https://access.redhat.com/security/cve/CVE-2018-8897	2018-05-23
https://access.redhat.com/security/vulnerabilities/pop_ss	2018-05-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				17.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "17.10"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Server Search vendor "Redhat" for product "Enterprise Linux Server"				7.0 Search vendor "Redhat" for product "Enterprise Linux Server" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Workstation Search vendor "Redhat" for product "Enterprise Linux Workstation"				7.0 Search vendor "Redhat" for product "Enterprise Linux Workstation" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Virtualization Manager Search vendor "Redhat" for product "Enterprise Virtualization Manager"				3.0 Search vendor "Redhat" for product "Enterprise Virtualization Manager" and version "3.0"		-		Affected
Citrix Search vendor "Citrix"		Xenserver Search vendor "Citrix" for product "Xenserver"				6.0.2 Search vendor "Citrix" for product "Xenserver" and version "6.0.2"		-		Affected
Citrix Search vendor "Citrix"		Xenserver Search vendor "Citrix" for product "Xenserver"				6.2.0 Search vendor "Citrix" for product "Xenserver" and version "6.2.0"		-		Affected
Citrix Search vendor "Citrix"		Xenserver Search vendor "Citrix" for product "Xenserver"				6.5 Search vendor "Citrix" for product "Xenserver" and version "6.5"		-		Affected
Citrix Search vendor "Citrix"		Xenserver Search vendor "Citrix" for product "Xenserver"				7.0 Search vendor "Citrix" for product "Xenserver" and version "7.0"		-		Affected
Citrix Search vendor "Citrix"		Xenserver Search vendor "Citrix" for product "Xenserver"				7.1 Search vendor "Citrix" for product "Xenserver" and version "7.1"		-		Affected
Citrix Search vendor "Citrix"		Xenserver Search vendor "Citrix" for product "Xenserver"				7.2 Search vendor "Citrix" for product "Xenserver" and version "7.2"		-		Affected
Citrix Search vendor "Citrix"		Xenserver Search vendor "Citrix" for product "Xenserver"				7.3 Search vendor "Citrix" for product "Xenserver" and version "7.3"		-		Affected
Citrix Search vendor "Citrix"		Xenserver Search vendor "Citrix" for product "Xenserver"				7.4 Search vendor "Citrix" for product "Xenserver" and version "7.4"		-		Affected
Synology Search vendor "Synology"		Skynas Search vendor "Synology" for product "Skynas"				-		-		Affected
Synology Search vendor "Synology"		Diskstation Manager Search vendor "Synology" for product "Diskstation Manager"				5.2 Search vendor "Synology" for product "Diskstation Manager" and version "5.2"		-		Affected
Synology Search vendor "Synology"		Diskstation Manager Search vendor "Synology" for product "Diskstation Manager"				6.0 Search vendor "Synology" for product "Diskstation Manager" and version "6.0"		-		Affected
Synology Search vendor "Synology"		Diskstation Manager Search vendor "Synology" for product "Diskstation Manager"				6.1 Search vendor "Synology" for product "Diskstation Manager" and version "6.1"		-		Affected
Apple Search vendor "Apple"		Mac Os X Search vendor "Apple" for product "Mac Os X"				< 10.13.4 Search vendor "Apple" for product "Mac Os X" and version " < 10.13.4"		-		Affected
Xen Search vendor "Xen"		Xen Search vendor "Xen" for product "Xen"				-		x86		Affected
Freebsd Search vendor "Freebsd"		Freebsd Search vendor "Freebsd" for product "Freebsd"				>= 11.0 < 11.1 Search vendor "Freebsd" for product "Freebsd" and version " >= 11.0 < 11.1"		-		Affected