Back to qualys.com

What we’ve got here is failure to communicate: OS vendors misread CPU docs, create flaw

In a memorable scene from “Jumpin’ Jack Flash,” Whoopi Goldberg struggles to understand the lyrics of the eponymous song from the Rolling Stones, as she pleads: “Mick, Mick, Mick, speak English!”

It appears that multiple operating system vendors had similar trouble interpreting Intel and AMD debugging documentation, which led the OS vendors to independently create the same critical security flaw in their respective kernel software.

The issue came to light last week when US-CERT (United States Computer Emergency Readiness Team) warned that under certain circumstances “some operating systems or hypervisors may not expect or properly handle an Intel architecture hardware debug exception.”

“The error appears to be due to developer interpretation of existing documentation for certain Intel architecture interrupt/exception instructions, namely MOV to SS and POP to SS,” the CERT alert reads.

The list of OS vendors affected reads like an industry “who’s who.” It includes Apple, Microsoft, Red Hat, VMware, Ubuntu, Xen and SUSE Linux. The problem was discovered by researcher Nick Peterson of Everdox Tech, who has detailed the flaw in a paper titled “POP SS/MOV SS Vulnerability.”

“This is a serious security vulnerability and oversight made by operating system vendors due to unclear and perhaps even incomplete documentation on the caveats of the POP SS and MOV SS instructions and their interactions with interrupt gate semantics,” wrote Peterson and co-author Nemanja Mulasmajic from Triplefault.io.

If exploited, the vulnerability (CVE-2018-8897), which each affected vendor has now patched, could allow attackers to create a variety of problems, including crashing the impacted system, running malicious programs on it, and tampering with data.

“An authenticated attacker may be able to read sensitive data in memory or control low-level operating system functions,” reads the CERT advisory.

According to Microsoft, successful attackers would need to log on to the system, and run a specially-crafted application to take control of it. They could then run arbitrary code in kernel mode and “install programs; view, change, or delete data; or create new accounts with full user rights.”

More information is available from Red Hat and VMware.

In other security news …

  • There are reports of new “text bombs” that can crash mobile apps like iMessage and Whatsapp, as well as iPhones and Android devices, but their impact has been greatly exaggerated, according to independent security analyst Graham Cluley.
  • The source code for the TreasureHunter malware has been leaked, which will help researchers better understand but which may trigger the creation of new variants, reports Tom Spring in ThreatPost.
  • LG has patched a pair of “severe” vulnerabilities affecting its smartphones’ keyboards, according to ThreatPost’s Tara Seals.

Leave a Reply