Anybody who's been involved with tech for a while has most likely come across the expression "RTFM" on more than one occasion. Usually delivered with a degree of snark, if not downright hostility, the initialism stands for "read the manual," with an added expletive added for good measure. As is often pointed out, the advice is not only rude, it's also often not helpful. Sometimes there is no documentation to read and if there is, it's poorly written and difficult to understand.
The latter seems to be the case with CVE-2018-8897, the latest operating system vulnerability.
On May 8, Nick Peterson of Everdox Tech and Nemanja Mulasmajic of triplefault.io, made public a research paper that revealed all major operating systems -- Linux, Apple, Windows and BSD -- to be affected by a flaw that can allow authenticated users to read data in memory or control low-level OS functions. The good news is that the researchers notified software developers of the problem on April 30, and by the time it was made public, patches were at the ready.
The flaw centers around debugging infrastructure provided by modern processors that is used by system designers and application developers to debug software. The infrastructure includes a set of debug and other model-specific registers that can be configured to monitor events, including memory access, instruction execution and I/O port access. In some circumstances, a debug exception occurs that can allow an attacker to gain access to sensitive memory information or to control low-level operating system functions, which can allow an attacker to move across a network.
In Linux systems, the vulnerability can bring about a denial-of-service condition or crash the kernel.
How did all of the major operating systems come to have the same security flaw? Depends on how you interpret what you read. My money's on poorly written Intel documentation.
"Several operating systems appear to incorrectly handle this exception due to interpretation of potentially unclear existing documentation and guidance on the use of these instructions," CERT wrote in an advisory.
Researchers Peterson and Mulasmajic blame the vulnerability on "oversight made by operating system vendors due to unclear and perhaps even incomplete documentation..."
Since all major operating system developers got it wrong, incomplete and unclear Intel documentation seem to be a good bet.
Because the issue is connected to Intel and AMD chips, security experts have been quick to point out there are few similarities between it and Meltdown/Spectre. The new flaw is not remotely exploitable and can only be utilized by a user already on the system. Also, the patches available to fix the problem don't seem to come with any of the performance hits reported with Meltdown/Spectre patching.
Users are advised to check with their operating system or software vendor for updates to address this issue. In addition to operating systems, Xen, VMware, Synology, and Check Point Software are affected. A complete list is included on the CERT advisory page.
While not good news, the fact that this vulnerability is documentation related is undoubtedly a relief for Intel, which has taken several hits on the security front recently. In addition to the ongoing Meltdown/Spectre issue, in November the company had to issue a firmware patch as well as a downloadable detection tool to correct a serious vulnerability in Machine Engine, a largely undocumented computer-within-a-computer that's been included on Intel chipsets since 2008.
This latest problem should serve as a wake up call to both software and hardware vendors for improved documentation. This exploit illustrates that incomplete and poorly written documentation can not only be frustrating to users trying to get the most out of their software, but can open the door to serious security concerns. While this exploit so far seems to be relatively benign, the next time we might not be so lucky.
