Pop_SS

Kernel Exception Handling Flaws After MOV/POP to SS Instructions (CVE-2018-8897, CVE-2018-1087)

Nick Peterson discovered that the Linux kernel did not properly handle debug exceptions following a MOV/POP to SS instruction. A local attacker could use this to cause a denial of service (system crash). This issue only affected the amd64 architecture. (CVE-2018-8897)

Andy Lutomirski discovered that the KVM subsystem of the Linux kernel did not properly emulate the ICEBP instruction following a MOV/POP to SS instruction. A local attacker in a KVM virtual machine could use this to cause a denial of service (guest VM crash) or possibly escalate privileges inside of the virtual machine. This issue only affected the i386 and amd64 architectures. (CVE-2018-1087)

These issues were fixed in the Linux kernel by commits `x86/entry/64: Don't use IST entry for #BP stack` and `kvm/x86: fix icebp instruction handling`. Ubuntu 17.10, 16.04 LTS, 14.04 LTS, and 12.04 ESM were affected. To address the issues, the majority of users should ensure that linux-image-4.13.0-41-generic 4.13.0-41.46 (Ubuntu 17.10), linux-image-4.4.0-124-generic 4.4.0-124.148 (Ubuntu 16.04 LTS), linux-image-3.13.0-147-generic 3.13.0-147.196 (Ubuntu 14.04 LTS), or linux-image-3.2.0-134-generic 3.2.0-134.180 (Ubuntu 12.04 ESM) is installed. Users of non-generic Ubuntu kernels should consult the published Ubuntu Security Notices for version information. These updates were announced in USN 3641-1 (Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, Ubuntu 17.10) and USN 3641-2 (Ubuntu 12.04 ESM).

Timeline

  • 2018 May 08: the issue is made public on the agreed upon coordinated release date

  • 2018 May 08: USNS 3641-1 and 3641-2 are published

SecurityTeam/KnowledgeBase/Pop_SS (last edited 2018-05-17 17:11:09 by emilyr)