Vulnerability Details : CVE-2018-8897
Public exploit exists!
A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.
Vulnerability category: Gain privilege
Threat overview for CVE-2018-8897
Top countries where our scanners detected CVE-2018-8897
Top open port discovered on systems with this issue
21
IPs affected by CVE-2018-8897 2,971
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2018-8897!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2018-8897
Probability of exploitation activity in the next 30 days: 0.07%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 30 % EPSS Score History EPSS FAQ
Metasploit modules for CVE-2018-8897
-
Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability
Disclosure Date: 2018-05-08First seen: 2020-04-26exploit/windows/local/mov_ssThis module exploits a vulnerability in a statement in the system programming guide of the Intel 64 and IA-32 architectures software developer's manual being mishandled in various operating system kerneles, resulting in unexpected behavior for #DB excpetions
CVSS scores for CVE-2018-8897
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.2
|
HIGH | AV:L/AC:L/Au:N/C:C/I:C/A:C |
3.9
|
10.0
|
NIST |
|
7.8
|
HIGH | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2018-8897
-
The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-8897
-
http://openwall.com/lists/oss-security/2018/05/08/1
oss-security - Xen Security Advisory 260 (CVE-2018-8897) - x86: mishandling of debug exceptionsMailing List;Third Party Advisory
-
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20190921-01-debug-en
Privilege Escalation Vulnerability in Some Huawei Products
-
https://access.redhat.com/errata/RHSA-2018:1345
RHSA-2018:1345 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://support.apple.com/HT208742
About the security content of Security Update 2018-001 - Apple SupportThird Party Advisory
-
https://github.com/torvalds/linux/commit/d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9
x86/entry/64: Don't use IST entry for #BP stack · torvalds/linux@d8ba61b · GitHubPatch;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20180927-0002/
CVE-2018-8897 x86 Debug Exception Vulnerability in NetApp Products | NetApp Product Security
-
https://www.synology.com/support/security/Synology_SA_18_21
Synology Inc.Third Party Advisory
-
https://www.freebsd.org/security/advisories/FreeBSD-SA-18:06.debugreg.asc
Third Party Advisory
-
https://usn.ubuntu.com/3641-2/
USN-3641-2: Linux kernel vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:1355
RHSA-2018:1355 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:1346
RHSA-2018:1346 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.debian.org/security/2018/dsa-4196
Debian -- Security Information -- DSA-4196-1 linuxThird Party Advisory
-
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=d8ba61ba58c88d5207c1ba2f7d9a2280e7d03be9
kernel/git/torvalds/linux.git - Linux kernel source treePatch;Third Party Advisory
-
https://xenbits.xen.org/xsa/advisory-260.html
XSA-260 - Xen Security AdvisoriesPatch;Third Party Advisory
-
http://www.securitytracker.com/id/1040744
Apple macOS/OS X LinkPresentation, Crash Reporter, and Kernel Bugs Let Remote Users Spoof the User Interface and Local Users Gain Elevated Privileges - SecurityTrackerThird Party Advisory;VDB Entry
-
https://lists.debian.org/debian-lts-announce/2018/05/msg00015.html
[SECURITY] [DLA 1383-1] xen security updateThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:1352
RHSA-2018:1352 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.kb.cert.org/vuls/id/631579
VU#631579 - Hardware debug exception documentation may result in unexpected behavior
-
https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0
Security fixes in StruxureWare Data Center Expert v7.6.0 - User assistance for StruxureWare Data Center Expert 7.x - Help Center: Support for EcoStruxure IT, StruxureWare for Data Centers, and NetBotz
-
http://www.securitytracker.com/id/1040882
Xen Debug Exception Handling Flaw Lets Local Users on a PV Guest System Gain Elevated Privileges on the Host System - SecurityTrackerThird Party Advisory;VDB Entry
-
https://bugzilla.redhat.com/show_bug.cgi?id=1567074
1567074 – (CVE-2018-8897) CVE-2018-8897 Kernel: error in exception handling leads to DoSIssue Tracking;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2018/11/msg00013.html
[SECURITY] [DLA 1577-1] xen security update
-
https://www.exploit-db.com/exploits/45024/
Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit)
-
https://access.redhat.com/errata/RHSA-2018:1318
RHSA-2018:1318 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securitytracker.com/id/1040861
Linux Kernel Debug Exception Handling Flaw Lets Local Users Cause Denial of Service Conditions on the Target System - SecurityTrackerThird Party Advisory;VDB Entry
-
https://access.redhat.com/errata/RHSA-2018:1524
RHSA-2018:1524 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://svnweb.freebsd.org/base?view=revision&revision=333368
[base] Revision 333368Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:1350
RHSA-2018:1350 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://usn.ubuntu.com/3641-1/
USN-3641-1: Linux kernel vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8897
CVE-2018-8897 | Windows Kernel Elevation of Privilege VulnerabilityPatch;Third Party Advisory;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2018:1353
RHSA-2018:1353 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2018/06/msg00000.html
[SECURITY] [DLA 1392-1] linux security updateThird Party Advisory
-
https://www.triplefault.io/2018/05/spurious-db-exceptions-with-pop-ss.html
Spurious #DB exceptions with the "MOV SS" and "POP SS" instructions (CVE-2018-8897)Third Party Advisory
-
http://www.securitytracker.com/id/1040849
Windows Kernel Multiple Flaws Let Local Users Bypass Security Restictions, Obtain Potentially Sensitive Information, and Gain Elevated Privileges on the Target System - SecurityTrackerThird Party Advisory;VDB Entry
-
https://access.redhat.com/errata/RHSA-2018:1351
RHSA-2018:1351 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.exploit-db.com/exploits/44697/
Microsoft Windows - 'POP/MOV SS' Privilege EscalationExploit;Third Party Advisory;VDB Entry
-
https://patchwork.kernel.org/patch/10386677/
selftests/x86: Add mov_to_ss - PatchworkPatch;Third Party Advisory
-
https://www.debian.org/security/2018/dsa-4201
Debian -- Security Information -- DSA-4201-1 xenThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:1349
RHSA-2018:1349 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:1348
RHSA-2018:1348 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:1319
RHSA-2018:1319 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securityfocus.com/bid/104071
Microsoft Windows Kernel CVE-2018-8897 Local Privilege Escalation VulnerabilityThird Party Advisory;VDB Entry
-
https://access.redhat.com/errata/RHSA-2018:1354
RHSA-2018:1354 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://support.citrix.com/article/CTX234679
Citrix XenServer Multiple Security UpdatesThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:1347
RHSA-2018:1347 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securitytracker.com/id/1040866
FreeBSD Kernel Debug Exception Handling Flaw Lets Local Users Gain Elevated Privileges - SecurityTrackerThird Party Advisory;VDB Entry
-
http://openwall.com/lists/oss-security/2018/05/08/4
oss-security - CVE-2018-8897: #DB exceptions that are deferred by MOV SS or POP SS may cause unexpected behaviorMailing List;Third Party Advisory
-
https://github.com/can1357/CVE-2018-8897/
GitHub - can1357/CVE-2018-8897: Arbitrary code execution with kernel privileges using CVE-2018-8897.Exploit;Third Party Advisory
Products affected by CVE-2018-8897
- cpe:2.3:o:freebsd:freebsd:*:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_virtualization_manager:3.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
- cpe:2.3:a:citrix:xenserver:6.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:citrix:xenserver:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:citrix:xenserver:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:citrix:xenserver:6.5:*:*:*:*:*:*:*
- cpe:2.3:a:citrix:xenserver:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:citrix:xenserver:7.2:*:*:*:*:*:*:*
- cpe:2.3:a:citrix:xenserver:7.4:*:*:*:*:*:*:*
- cpe:2.3:a:citrix:xenserver:7.3:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*
- cpe:2.3:o:xen:xen:-:*:*:*:*:*:x86:*
- cpe:2.3:a:synology:skynas:-:*:*:*:*:*:*:*
- cpe:2.3:o:synology:diskstation_manager:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:synology:diskstation_manager:5.2:*:*:*:*:*:*:*
- cpe:2.3:o:synology:diskstation_manager:6.1:*:*:*:*:*:*:*