Microsoft Windows, Apple macOS, Linux, BSD: All hit by same 'serious' security flaw

OS and hypervisor makers patch flaw that attackers could use to crash systems or read data from memory.
Written by Liam Tung, Contributing Writer

Video: The 2013 flaw that's still used to turn Linux servers into coin miners today.

Windows, macOS, major Linux distributions, FreeBSD, VMware, and Xen on x86 AMD and Intel CPUs are affected by a serious security flaw caused by operating system developers misinterpreting debug documentation from the two chip makers.

The affected OS and hypervisor makers on Tuesday released fixes for the common flaw that may allow an authenticated attacker "to read sensitive data in memory or control low-level operating system functions", according to CERT.

Patches are available from Apple, DragonFly BSD, FreeBSD, Microsoft, Red Hat, SUSE Linux, Ubuntu, VMware, and Xen. In the case of Linux distributions, there are two separate issues that affect the Linux kernel and the kernel's KVM hypervisor. Links to all available updates are available in the CERT advisory.

According to RedHat's description, the flaw stems from the way operating systems and hypervisors handle certain debugging features in modern CPUs, in this case how debug exceptions are handled.

"Generally, exceptions are raised at the instruction boundary; all instructions before the one causing the exception are allowed to complete and the one causing the exception is stalled, so that it can resume execution once the exception has been handled," RedHat notes in its advisory.

"In a few instances where the instruction causes a task switch or stack switch, these exceptions are raised after the instruction; notably, the instruction causing the exception is allowed to complete, as happens with MOV SS or POP SS."

Unexpected behavior can occur if certain instructions such as SYSCALL follow the two exception instructions MOV to SS or POP to SS, according to CERT.

See: 20 quick tips to make Linux networking easier (free PDF)

In the context of a Linux operating system, the flaw may allow an attacker to crash a system. However, the flaw could also allow an unprivileged KVM guest user to "crash the guest or, potentially, escalate their privileges in the guest".

Microsoft says the vulnerability could allow an attacker to run arbitrary code in kernel mode.

"To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially-crafted application to take control of an affected system," its advisory reads.

VMware said its hypervisors aren't affected but potentially affected products include VMware vCenter Server, VMware Data Protection, and VMware vSphere Integrated Containers.

The Xen project said all versions of Xen are affected but the flaw can only be exploited by PV or 'paravirtualization' guests. Hardware-assisted virtualization (HVM) cannot exploit the flaw.

CERT notes that this issue appears to have been caused by operating system developers incorrectly handling these exceptions.

But while the flaws are not due to the design of CPUs, the misinterpretation of the exception was "due to interpretation of potentially unclear existing documentation and guidance on the use of these instructions".

The vulnerability was discovered by researchers Nick Peterson of Everdox Tech and Nemanja Mulasmajic of Triplefault.io who will be presenting their research at BlackHat 2018.

"This is a serious security vulnerability and oversight made by operating system vendors due to unclear and perhaps even incomplete documentation on the caveats of the POP SS instruction and its interaction with interrupt gate semantics," the pair note in their report.


CERT has listed operating system and software vendors with updates to address this issue.

Image: CERT

Previous and related coverage

Microsoft to Windows users: Here are new critical Intel security updates for Spectre v2

Microsoft releases new Windows updates to address the Spectre variant 2 flaw affecting Intel chips.

Intel debuts security solutions at the silicon level

Next-generation technologies including the blockchain and IoT are at the top of Intel's cybersecurity priority list.

Linux creator Linus Torvalds: This is what drives me nuts about IT security

Torvalds explains why he gets angry with security people.

Windows 10: Microsoft to boost Linux app security with Windows Defender firewall

Microsoft preps new Windows 10 security features to ensure system integrity during start-up and after it's running.

Editorial standards