Misunderstood Intel Documentation Leads to Multivendor Vulnerability

Operating system vendors are pushing out updates to address a flaw in how a hardware debugging command has been implemented that could potentially expose users to risk.


Major operating system vendors including Microsoft, Apple and Linux distributions somehow misinterpreted Intel documentation about a hardware debugging feature and ended up exposing users to potential risk. 

The flaw, which has been identified as CVE-2018-8897, was publicly reported on May 8, though impacted vendors were notified on April 30 and have already released patches. The flaw could have enabled an unauthenticated user to read sensitive data in memory or control low-level operating system functions.

"In some circumstances, some operating systems or hypervisors may not expect or properly handle an Intel architecture hardware debug exception," CERT warned in its advisory on the issue. "The error appears to be due to developer interpretation of existing documentation for certain Intel architecture interrupt/exception instructions, namely MOV to SS and POP to SS."

The flaw was reported by researchers Nick Peterson of Everdox Tech and Nemanja Mulasmajic of triplefault.io. In a detailed research paper, Peterson and Mulasmajic explain that the flaw is due to lack of control for a pair of debug registers that operating systems use. 

"This is a serious security vulnerability and oversight made by operating system vendors due to unclear and perhaps even incomplete documentation," the researchers wrote.

In a security advisory, Red Hat wrote that modern processors provide debugging infrastructure used by system designers and application developers to debug their software. On Linux, the risk is that an unprivileged KVM hypervisor guest user could use the CVE-2018-8897 flaw to crash the guest or escalate their privileges in the guest. There is no indication that attackers have exploited the issue on any operating system, and there currently is no proof of concept exploit code that has been publicly released.

"We've got working exploit code for Windows (should work on Linux too) on both Intel and AMD hardware," Mulasmajic wrote in a Twitter message. "We do plan on releasing it after we give a presentation/talk in the near future." 

Industry Reaction

The fact that a flaw was discovered due to poor documentation doesn't come as a surprise to Joseph Carson, chief security scientist at Thycotic. Documentation is typically thrown together at the last minute or done simply as a checkbox item, he said.  

"When you leave security to be correctly followed from a document, you will typically find some vendors implement it incorrectly," Carson told eWEEK

While the CVE-2018-8897 issue is a concern, Rishi Bhargava, co-founder at Demisto, said it's not as severe as the Meltdown and Spectre issues in terms of impact on the operating system or, at least as of now, it does not seem appear to be. The Meltdown and Spectre side-channel memory vulnerabilities in Intel and AMD were publicly disclosed on Jan. 3 and have led to multiple rounds of firmware and operating system updates.

"When the root cause is misunderstanding of documentation, the hope is that some people interpreted it right," Bhargava told eWEEK. "Though the bigger challenge that is emerging—now that we have seen a couple of hardware issues—is that researchers and black hats are shining a flashlight on hardware-related security problems and will find more." 

Chris Morales, head of security analytics at Vectra, said there is at least one key difference between Meltdown and Spectre and CVE-2018-8897. Meltdown and Spectre are remotely exploitable by malware, providing an initial means of infection, which could expose user and app passwords stored in system memory to potential risk, he said.

"This new 'doc misunderstand' issue, which is a mishandle of a debug exception feature, is not remotely exploitable, meaning an attacker needs to already be on the system before this technique is of any use," Morales said. "Once on the system, this poor implementation of the Intel debug feature would allow an attacker to elevate privileges on an already compromised system to gain low level access."

Morales explained that with the low-level access to an operating system kernel, an attacker could then move laterally across a network to find potentially valuable information.


The CERT advisory on the CVE-2018-8897 issue advises end users and enterprises to apply operating system patches in order to mitigate the flaw.

"Check with your operating system or software vendor for updates to address this issue," the CERT advisory states. "There is no expected performance impact for applying an update."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.