The United States Computer Emergency Response Team (CERT) announced on May 9 that systems such as Windows, macOS, Linux, FreeBSD, VMware, and Xen are currently being affected by a major security vulnerability (CVE-2018-8897). The vulnerability is due to Operating system developers misinterpreted the debugging documents of Intel and AMD.
According to CERT, the vulnerability allows hackers to read sensitive data in computer memory or to control some low-level operating system features. Currently affected operating system and hypervisor vendors have released corresponding patches, including Apple, DragonFly BSD, FreeBSD, Microsoft, Red Hat, SUSE Linux, Ubuntu, VMware, and Xen.
According to Red Hat, “A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions. During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed. An unprivileged system user could use this flaw to crash the system kernel resulting in the denial of service.”
According to Microsoft, the vulnerability allows hackers to run arbitrary code in kernel mode. Microsoft said: “An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system. The update addresses the vulnerability by correcting how the Windows kernel handles objects in memory.”
VMware claims that its hypervisor may not be affected, but products such as VMware vCenter Server, VMware Data Protection, and VMware vSphere Integrated Containers may be affected.
Xen said that all its versions of the Xen program are affected, but only software virtualization (PV) “guest” accounts can exploit this vulnerability and Hardware Virtualization (HVM) cannot be exploited.
The CERT pointed out that the problem was caused by an operating system developer mishandling these exceptions. These vulnerabilities have nothing to do with the design of the CPU. The misinterpretation of exceptions is due to the lack of detailed documentation and guidance provided by current Intel and AMD.
