Almost all major OS vendors released security patches yesterday after a researcher discovered that some OS makers have misinterpreted an Intel CPU debug feature and left their systems open to attacks.
The vulnerability is in how the OS vendors implemented a hardware debug mechanism for Intel x86-64 architectures —and more specifically the MOV SS and POP SS instructions.
"In certain circumstances after the use of certain Intel x86-64 architecture instructions, a debug exception pointing to data in a lower ring (for most operating systems, the kernel Ring 0 level) is made available to operating system components running in Ring 3," the CERT/CC team explained in an advisory published yesterday.
Explained in layman's terms, "this may allow an attacker to utilize operating system APIs to gain access to sensitive memory information or control low-level operating system functions."
Operating systems that mishandle this debug exception and had their systems open to attacks include Apple, Microsoft, FreeBSD, Red Hat, Ubuntu, SUSE Linux, and other Linux distros based on the Linux Kernel —which is also affected.
Further, the issue also made it into virtualization software like VMWare and Xen. CERT/CC has a page dedicated to the patch status of each affected vendor.
Fixing the bug and having synchronized patches out by yesterday was an industry-wide effort, one that deserves praises, compared to the jumbled Meltdown and Spectre patching process.
https://t.co/E3ZoDQ5XC9 - here it is folks. This fix represents amazing collaboration between Microsoft and the OSS community. I was able to reach out to a number of BSD groups, collaborate with them and sync our releases to protect ALL our customers.— Nate Warfield (@dk_effect) May 8, 2018
As an industry we owe it to our customers to collaborate with others, and this needs to become the new normal if we expect to be successful. Connecting with others at conferences is more than exchanging business cards; it's about taking security to the next level! https://t.co/M6k7VMWkIK— Nate Warfield (@dk_effect) May 8, 2018
The issue —tracked as CVE-2018-8897— is not remotely exploitable, and an attacker needs to have already infected a PC with malware or must have access to a logged-in account to run the malicious code that exploits this vulnerability.
In the best case scenario, an attacker could elevate the access privileges of his code to kernel level, and then use this access to perform other operations.
The issue was discovered by Nick Peterson of Everdox Tech, LLC. Both Peterson and the CERT/CC team blamed the "unclear and perhaps even incomplete documentation" relating the use of the MOV SS and POP SS instructions, as the main reason why this bug made it into the kernels of so many different operating systems, practically in the same way.
Peterson published a PDF report detailing the bug in more depth.