Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
7.2
CVSSv2

CVE-2018-8897

Published: 08/05/2018 Updated: 03/10/2019
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 730
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Debian Linux

Vulnerability Summary

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

debian debian linux 8.0

debian debian linux 7.0

debian debian linux 9.0

canonical ubuntu linux 16.04

canonical ubuntu linux 17.10

canonical ubuntu linux 14.04

redhat enterprise linux server 7.0

redhat enterprise virtualization manager 3.0

redhat enterprise linux workstation 7.0

citrix xenserver 6.2.0

citrix xenserver 6.5

citrix xenserver 6.0.2

citrix xenserver 7.3

citrix xenserver 7.4

citrix xenserver 7.0

citrix xenserver 7.1

citrix xenserver 7.2

synology diskstation manager 6.0

synology diskstation manager 5.2

synology diskstation manager 6.1

synology skynas -

apple mac os x

xen xen -

freebsd freebsd

Vendor Advisories

Ubuntu Security Notice: linux, linux-aws, linux-azure, linux-euclid, linux-gcp, linux-hwe, linux-kvm, linux-lts-xenial, linux-oem, linux-raspi2, linux-snapdragon vulnerabilities
Several security issues were fixed in the Linux kernel ...
Ubuntu Security Notice: linux, linux-lts-trusty vulnerabilities
Several security issues were fixed in the Linux kernel ...
Amazon Linux AMI: ALAS-2018-1023
A weakness was found in the Linux kernel's implementation of random seed data Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated (CVE-2018-1108) A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instruction ...
Amazon Linux 2: ALAS2-2018-1023
A weakness was found in the Linux kernel's implementation of random seed data Programs, early in the boot sequence, could use the data allocated for the seed before it was sufficiently generated (CVE-2018-1108) A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instruction ...
Red Hat: Moderate: kernel security update
Synopsis Moderate: kernel security update Type/Severity Security Advisory: Moderate Topic An update for kernel is now available for Red Hat Enterprise Linux 59 Long LifeRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base ...
Red Hat: Moderate: kernel security and bug fix update
Synopsis Moderate: kernel security and bug fix update Type/Severity Security Advisory: Moderate Topic An update for kernel is now available for Red Hat Enterprise Linux 66 Advanced Update Support and Red Hat Enterprise Linux 66 Telco Extended Update SupportRed Hat Product Security has rated this update a ...
Red Hat: Important: kernel-rt security and bug fix update
Synopsis Important: kernel-rt security and bug fix update Type/Severity Security Advisory: Important Topic An update for kernel-rt is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (C ...
Red Hat: Important: kernel-rt security update
Synopsis Important: kernel-rt security update Type/Severity Security Advisory: Important Topic An update for kernel-rt is now available for Red Hat Enterprise MRG 2Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base scor ...
Red Hat: Moderate: kernel security update
Synopsis Moderate: kernel security update Type/Severity Security Advisory: Moderate Topic An update for kernel is now available for Red Hat Enterprise Linux 5 Extended Lifecycle SupportRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring Sys ...
Red Hat: Important: kernel security update
Synopsis Important: kernel security update Type/Severity Security Advisory: Important Topic An update for kernel is now available for Red Hat Enterprise Linux 73 Extended Update SupportRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring S ...
Red Hat: Important: redhat-virtualization-host bug fix and enhancement update
Synopsis Important: redhat-virtualization-host bug fix and enhancement update Type/Severity Security Advisory: Important Topic Updated redhat-virtualization-host packages that fix several bugs and add various enhancements are now available Description The redhat-virtualization-host package ...
Red Hat: Important: rhev-hypervisor7 security update
Synopsis Important: rhev-hypervisor7 security update Type/Severity Security Advisory: Important Topic An update for rhev-hypervisor7 is now available for RHEV 3X Hypervisor and Agents Extended Lifecycle Support for Red Hat Enterprise Linux 6 and RHEV 3X Hypervisor and Agents Extended Lifecycle Support for ...
Red Hat: Important: redhat-virtualization-host security update
Synopsis Important: redhat-virtualization-host security update Type/Severity Security Advisory: Important Topic An update for redhat-virtualization-host is now available for RHEV 3X Hypervisor and Agents Extended Lifecycle Support for Red Hat Enterprise Linux 7Red Hat Product Security has rated this updat ...
Red Hat: Important: kernel security and bug fix update
Synopsis Important: kernel security and bug fix update Type/Severity Security Advisory: Important Topic An update for kernel is now available for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) b ...
Red Hat: Important: kernel security and bug fix update
Synopsis Important: kernel security and bug fix update Type/Severity Security Advisory: Important Topic An update for kernel is now available for Red Hat Enterprise Linux 67 Extended Update SupportRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerabili ...
Red Hat: Important: kernel security and bug fix update
Synopsis Important: kernel security and bug fix update Type/Severity Security Advisory: Important Topic An update for kernel is now available for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) b ...
Red Hat: Important: kernel security, bug fix, and enhancement update
Synopsis Important: kernel security, bug fix, and enhancement update Type/Severity Security Advisory: Important Topic An update for kernel is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring S ...
Red Hat: Important: kernel security update
Synopsis Important: kernel security update Type/Severity Security Advisory: Important Topic An update for kernel is now available for Red Hat Enterprise Linux 74 Extended Update SupportRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring S ...
Red Hat: Important: kernel security update
Synopsis Important: kernel security update Type/Severity Security Advisory: Important Topic An update for kernel is now available for Red Hat Enterprise Linux 72 Advanced Update Support, Red Hat Enterprise Linux 72 Telco Extended Update Support, and Red Hat Enterprise Linux 72 Update Services for SAP Sol ...
Red Hat: Moderate: kernel security and bug fix update
Synopsis Moderate: kernel security and bug fix update Type/Severity Security Advisory: Moderate Topic An update for kernel is now available for Red Hat Enterprise Linux 65 Advanced Update SupportRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability ...
Red Hat: Moderate: kernel security and bug fix update
Synopsis Moderate: kernel security and bug fix update Type/Severity Security Advisory: Moderate Topic An update for kernel is now available for Red Hat Enterprise Linux 64 Advanced Update SupportRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability ...
Red Hat: CVE-2018-8897
A flaw was found in the way the Linux kernel handled exceptions delivered after a stack switch operation via Mov SS or Pop SS instructions During the stack switch operation, the processor did not deliver interrupts and exceptions, rather they are delivered once the first instruction after the stack switch is executed An unprivileged system user c ...
Arch Linux Issues:
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, ...
Citrix Security Bulletins: Citrix XenServer Multiple Security Updates
Description of Problem A number of security vulnerabilities have been identified in Citrix XenServer that may allow malicious code running in a PV guest VM to compromise the host and malicious privileged code running in an HVM guest VM to crash the host These vulnerabilities affect all currently supported versions of Citrix XenServer up to and inc ...

Exploits

Exploit DB: Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit)
## # This module requires Metasploit: metasploitcom/download # Current source: githubcom/rapid7/metasploit-framework ## require 'msf/core/post/common' require 'msf/core/post/file' require 'msf/core/post/windows/priv' require 'msf/core/post/windows/registry' require 'msf/core/exploit/exe' class MetasploitModule &lt; Msf::Exploit: ...
Exploit DB: Microsoft Windows - 'POP/MOV SS' Privilege Escalation
Demo exploitation of the POP SS vulnerability (CVE-2018-8897), leading to unsigned code execution with kernel privilages - KVA Shadowing should be disabled and the relevant security update should be uninstalled - This may not work with certain hypervisors (like VMWare), which discard the pending #DB after INT3 Proof of Concept: github ...
Exploit DB: Microsoft Windows POP/MOV SS Local Privilege Elevation
This Metasploit module exploits a vulnerability in a statement in the system programming guide of the Intel 64 and IA-32 architectures software developer's manual being mishandled in various operating system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS This Metasploit module will upload the pre ...

Mailing Lists

Full Disclosure: APPLE-SA-2018-7-23-2 Additional information for APPLE-SA-2018-06-01-1 macOS High Sierra 10.13.5, Security Update 2018-003 Sierra, Security Update 2018-003 El Capitan
<!--X-Body-Begin--> <!--X-User-Header--> Full Disclosure mailing list archives <!--X-User-Header-End--> <!--X-TopPNI--> By Date By Thread </form> <!--X-TopPNI-End--> <!--X-MsgBody--> <!--X-Subject-Header-Begin--> APPLE-SA-2018-7-23-2 Additional information for APPLE-SA-2018-06-01-1 macOS High Sierra 10135, Security Update 2018-0 ...

Github Repositories

https://github.com/can1357/CVE-2018-8897

Arbitrary code execution with kernel privileges using CVE-2018-8897.

CVE-2018-8897 Demo exploitation of the POP SS vulnerability (CVE-2018-8897), leading to unsigned code execution with kernel privilages KVA Shadowing should be disabled and the relevant security update should be uninstalled This may not work with certain hypervisors (like VMWare), which discard the pending #DB after INT3 Detailed explanation: blogcanac/2018/05/11/

Recent Articles

It's 2018, and a webpage can still pwn your Windows PC – and apps can escape Hyper-V
The Register • Chris Williams, Editor in Chief • 09 May 2018

Scores of bugs, from Edge and Office to kernel code to Adobe Flash, need fixing ASAP

Patch Tuesday Microsoft and Adobe have patched a bunch of security bugs in their products that can be exploited by hackers to commandeer vulnerable computers, siphon people's personal information, and so on. Redmond emitted 68 patches alone, 21 rated critical and at least two being actively exploited in the wild. There are browser and kernel patches you should look into first, check out an Office 365 email filter bypass that isn't addressed, then Hyper-V if you're using that, and then the rest. ...

Read more...
Every major OS maker misread Intel's docs. Now their kernels can be hijacked or crashed
The Register • Simon Sharwood and Chris Williams • 09 May 2018

Grab those patches as Chipzilla updates manuals

Updated Linux, Windows, macOS, FreeBSD, and some implementations of Xen have a design flaw that could allow attackers to, at best, crash Intel and AMD-powered computers. At worst, miscreants can, potentially, "gain access to sensitive memory information or control low-level operating system functions,” which is a fancy way of saying peek at kernel memory, or hijack the critical code running the machine. The vulnerabilities can be exploited by malware running on a computer, or a malicious logge...

Read more...

References

CWE-362https://xenbits.xen.org/xsa/advisory-260.htmlhttps://www.freebsd.org/security/advisories/FreeBSD-SA-18:06.debugreg.aschttps://github.com/torvalds/linux/commit/d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9https://bugzilla.redhat.com/show_bug.cgi?id=1567074http://openwall.com/lists/oss-security/2018/05/08/1http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9https://svnweb.freebsd.org/base?view=revision&revision=333368https://support.apple.com/HT208742https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8897http://openwall.com/lists/oss-security/2018/05/08/4https://www.triplefault.io/2018/05/spurious-db-exceptions-with-pop-ss.htmlhttps://www.synology.com/support/security/Synology_SA_18_21https://usn.ubuntu.com/3641-2/https://support.citrix.com/article/CTX234679https://patchwork.kernel.org/patch/10386677/https://access.redhat.com/errata/RHSA-2018:1355https://access.redhat.com/errata/RHSA-2018:1354https://access.redhat.com/errata/RHSA-2018:1353https://access.redhat.com/errata/RHSA-2018:1352https://access.redhat.com/errata/RHSA-2018:1351https://access.redhat.com/errata/RHSA-2018:1350https://access.redhat.com/errata/RHSA-2018:1349https://access.redhat.com/errata/RHSA-2018:1348https://access.redhat.com/errata/RHSA-2018:1347https://access.redhat.com/errata/RHSA-2018:1346https://access.redhat.com/errata/RHSA-2018:1345https://access.redhat.com/errata/RHSA-2018:1319https://access.redhat.com/errata/RHSA-2018:1318http://www.securitytracker.com/id/1040849http://www.securityfocus.com/bid/104071https://www.debian.org/security/2018/dsa-4196http://www.securitytracker.com/id/1040882http://www.securitytracker.com/id/1040866http://www.securitytracker.com/id/1040861http://www.securitytracker.com/id/1040744https://access.redhat.com/errata/RHSA-2018:1524https://www.debian.org/security/2018/dsa-4201https://github.com/can1357/CVE-2018-8897/https://www.exploit-db.com/exploits/44697/https://lists.debian.org/debian-lts-announce/2018/05/msg00015.htmlhttps://usn.ubuntu.com/3641-1/https://lists.debian.org/debian-lts-announce/2018/06/msg00000.htmlhttps://www.exploit-db.com/exploits/45024/https://security.netapp.com/advisory/ntap-20180927-0002/https://lists.debian.org/debian-lts-announce/2018/11/msg00013.htmlhttps://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0https://www.kb.cert.org/vuls/id/631579http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190921-01-debug-enhttps://nvd.nist.govhttps://github.com/can1357/CVE-2018-8897https://usn.ubuntu.com/3641-1/https://www.exploit-db.com/exploits/45024/https://www.kb.cert.org/vuls/id/631579
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-30924CVE-2024-3400overflowCVE-2024-23528CVE-2024-21338CVE-2024-3818CVE-2024-23535NULL pointer dereferenceelevation of privilege
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook