Video: The 2013 flaw that’s still used to turn Linux servers into coin miners today.
Windows, macOS, major Linux distributions, FreeBSD, VMware, and Xen on x86 AMD and Intel CPUs are affected by a serious security flaw caused by operating system developers misinterpreting debug documentation from the two chip makers.
The affected OS and hypervisor makers on Tuesday released fixes for the common flaw that may allow an authenticated attacker “to read sensitive data in memory or control low-level operating system functions”, according to CERT.
Patches are available from Apple, DragonFly BSD, FreeBSD, Microsoft, Red Hat, SUSE Linux, Ubuntu, VMware, and Xen. In the case of Linux distributions, there are two separate issues that affect the Linux kernel and the kernel’s KVM hypervisor. Links to all available updates are available in the CERT advisory.
According to RedHat’s description, the flaw stems from the way operating systems and hypervisors handle certain debugging features in modern CPUs, in this case how debug exceptions are handled.
“Generally, exceptions are raised at the instruction boundary; all instructions before the one causing the exception are allowed to complete and the one causing the exception is stalled, so that it can resume execution once the exception has been handled,” RedHat notes in its advisory.
“In a few instances where the instruction causes a task switch or stack switch, these exceptions are raised after the instruction; notably, the instruction causing the exception is allowed to complete, as happens with MOV SS or POP SS.”
Unexpected behavior can occur if certain instructions such as SYSCALL follow the two exception instructions MOV to SS or POP to SS, according to CERT.
In the context of a Linux operating system, the flaw may allow an attacker to crash a system. However, the flaw could also allow an unprivileged KVM guest user to “crash the guest or, potentially, escalate their privileges in the guest”.
Microsoft says the vulnerability could allow an attacker to run arbitrary code in kernel mode.
“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially-crafted application to take control of an affected system,” its advisory reads.
VMware said its hypervisors aren’t affected but potentially affected products include VMware vCenter Server, VMware Data Protection, and VMware vSphere Integrated Containers.
The Xen project said all versions of Xen are affected but the flaw can only be exploited by PV or ‘paravirtualization’ guests. Hardware-assisted virtualization (HVM) cannot exploit the flaw.
CERT notes that this issue appears to have been caused by operating system developers incorrectly handling these exceptions.
But while the flaws are not due to the design of CPUs, the misinterpretation of the exception was “due to interpretation of potentially unclear existing documentation and guidance on the use of these instructions”.
The vulnerability was discovered by researchers Nick Peterson of Everdox Tech and Nemanja Mulasmajic of Triplefault.io who will be presenting their research at BlackHat 2018.
“This is a serious security vulnerability and oversight made by operating system vendors due to unclear and perhaps even incomplete documentation on the caveats of the POP SS instruction and its interaction with interrupt gate semantics,” the pair note in their report.
Previous and related coverage
Microsoft releases new Windows updates to address the Spectre variant 2 flaw affecting Intel chips.
Next-generation technologies including the blockchain and IoT are at the top of Intel’s cybersecurity priority list.
Torvalds explains why he gets angry with security people.
Microsoft preps new Windows 10 security features to ensure system integrity during start-up and after it’s running.