VIR Vulnerability Intelligence Relay

CVE-2018-8897

high
Published — · Modified —
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
CVSS v4 NEW
not yet in upstream
VIR risk
9.0

Description

A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.

Predictions

Exploit likelihood
90%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-45024 local windows verified
Metasploit · 2018-07-13

Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit)

Source code queued for fetch — refresh in a moment.
EDB-44697 local windows verified
Can Bölük · 2018-05-22

Microsoft Windows - 'POP/MOV SS' Privilege Escalation

Source code queued for fetch — refresh in a moment.

Metasploit modules

exploit_windows/local/mov_ss rank 600
Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability
Source fetch failed: fetch_error — view the original via the link above.

OS impact
suse SUSE Affected 1 release
VersionStatusFixed in
Affected
arch Arch Fixed 1 release
VersionStatusFixed in
Fixed 4.17-1
debian Debian Fixed 5 releases
VersionStatusFixed in
trixie Fixed 4.15.17-1
sid Fixed 4.15.17-1
forky Fixed 4.15.17-1
bullseye Fixed 4.15.17-1
bookworm Fixed 4.15.17-1

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.