Most major operating systems are vulnerable to a “serious” security bug caused by developers’ misinterpretation of documentation on debugging features in Intel and AMD chips.
The problem is unusual in its scale, affecting Windows, Apple’s macOS, most major Linux distributions, FreeBSD, and virtualisation products from VMware, Xen and KVM.
The bug could be exploited in different ways depending on the platform involved, with attackers able in some cases to gain access to sensitive memory information or take control of low-level operating system functions, according to CERT.
Microsoft said that an attacker could exploit the bug in Windows to run malicious code in kernel mode.
System takeover
“To exploit this vulnerability, an attacker would first have to log on to the system,” Microsoft warned in an advisory. “An attacker could then run a specially-crafted application to take control of an affected system.”
VMware said its hypervisors aren’t affected but other products may be, including VMware vCenter Server, VMware Data Protection and VMware vSphere Integrated Containers.
The Xen project said all versions of Xen are affected, but said the bug can only be exploited by guests using paravirtualisation. The issue can’t be exploited on systems using hardware-assisted virtualisation.
KVM said an unprivileged user could exploit the bug to crash a guest operating system or potentially escalate their privileges within the guest.
CERT said operating system makers had apparently made programming mistakes due to their interpretation of “potentially unclear existing documentation” and guidance on the use of debug functions.
The affected software makers have released patches, with links available via CERT’s advisory.
‘Unexpected behaviour’
The interrupt/exception instructions in question are MOV to SS and POP to SS, CERT said.
The way these instructions are handled by various operating systems “may result in unexpected behaviour”, CERT said.
In certain circumstances the result “may allow an attacker to utilise operating system APIs to gain access to sensitive memory information or control low-level operating system functions,” CERT said, adding that “an authenticated attacker may be able to read sensitive data in memory or control low-level operating system functions”.
The researchers who discovered the flaw said the implications were worse for software running on AMD chips.
“It seems, in a way, that this is just a giant oversight,” wrote Nick Peterson of Everdox Tech and Emanja Mulasmajic of Triplefault.io in their paper on the issue.
They said they expect Intel and AMD to update their instruction specifications to make a clear note of the “edge case” involved in the problem, and in fact Intel this week released updated software developer manuals with modifications related to interrupt instructions.
CERT said it does not expect performance slowdowns to result from applying updates to fix the problem.
[“Source-silicon”]