Think you have a false positive on this rule?

Sid 1-46832

Message

OS-WINDOWS Microsoft Windows ROP gadget locate attempt

Summary

This event is generated when an attacker attempts to exploit a privilege escalation vulnerability in the Windows kernel.

Impact

Attempted Administrator Privilege Gain

CVE-2018-8897:

CVSS base score 7.8

CVSS impact score 5.9

CVSS exploitability score 1.8

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Detailed information

Rule checks for attempts to exploit a privilege escalation vulnerability in the Windows kernel. CVE-2018-8897: A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.

Affected systems

  • citrix xenserver 6.0.2
  • citrix xenserver 6.2.0
  • citrix xenserver 6.5
  • citrix xenserver 7.0
  • citrix xenserver 7.1
  • citrix xenserver 7.2
  • citrix xenserver 7.3
  • citrix xenserver 7.4
  • synology skynas -
  • synology diskstation_manager 5.2
  • synology diskstation_manager 6.0
  • synology diskstation_manager 6.1
  • apple macosx -
  • apple macosx 10.0
  • apple macosx 10.0.0
  • apple macosx 10.0.1
  • apple macosx 10.0.2
  • apple macosx 10.0.3
  • apple macosx 10.0.4
  • apple macosx 10.1
  • apple macosx 10.1.0
  • apple macosx 10.1.1
  • apple macosx 10.1.2
  • apple macosx 10.1.3
  • apple macosx 10.1.4
  • apple macosx 10.1.5
  • apple macosx 10.2
  • apple macosx 10.2.0
  • apple macosx 10.2.1
  • apple macosx 10.2.2
  • apple macosx 10.2.3
  • apple macosx 10.2.4
  • apple macosx 10.2.5
  • apple macosx 10.2.6
  • apple macosx 10.2.7
  • apple macosx 10.2.8
  • apple macosx 10.3
  • apple macosx 10.3.0
  • apple macosx 10.3.1
  • apple macosx 10.3.2
  • apple macosx 10.3.3
  • apple macosx 10.3.4
  • apple macosx 10.3.5
  • apple macosx 10.3.6
  • apple macosx 10.3.7
  • apple macosx 10.3.8
  • apple macosx 10.3.9
  • apple macosx 10.4
  • apple macosx 10.4.0
  • apple macosx 10.4.1
  • apple macosx 10.4.2
  • apple macosx 10.4.3
  • apple macosx 10.4.4
  • apple macosx 10.4.5
  • apple macosx 10.4.6
  • apple macosx 10.4.7
  • apple macosx 10.4.8
  • apple macosx 10.4.9
  • apple macosx 10.4.10
  • apple macosx 10.4.11
  • apple macosx 10.5
  • apple macosx 10.5.0
  • apple macosx 10.5.1
  • apple macosx 10.5.2
  • apple macosx 10.5.3
  • apple macosx 10.5.4
  • apple macosx 10.5.5
  • apple macosx 10.5.6
  • apple macosx 10.5.7
  • apple macosx 10.5.8
  • apple macosx 10.6.0
  • apple macosx 10.6.1
  • apple macosx 10.6.2
  • apple macosx 10.6.3
  • apple macosx 10.6.4
  • apple macosx 10.6.5
  • apple macosx 10.6.6
  • apple macosx 10.6.7
  • apple macosx 10.6.8
  • apple macosx 10.7.0
  • apple macosx 10.7.1
  • apple macosx 10.7.2
  • apple macosx 10.7.3
  • apple macosx 10.7.4
  • apple macosx 10.7.5
  • apple macosx 10.8.0
  • apple macosx 10.8.1
  • apple macosx 10.8.2
  • apple macosx 10.8.3
  • apple macosx 10.8.4
  • apple macosx 10.8.5
  • apple macosx 10.9
  • apple macosx 10.9.1
  • apple macosx 10.9.2
  • apple macosx 10.9.3
  • apple macosx 10.9.4
  • apple macosx 10.9.5
  • apple macosx 10.10.0
  • apple macosx 10.10.1
  • apple macosx 10.10.2
  • apple macosx 10.10.3
  • apple macosx 10.10.4
  • apple macosx 10.10.5
  • apple macosx 10.11.0
  • apple macosx 10.11.1
  • apple macosx 10.11.2
  • apple macosx 10.11.3
  • apple macosx 10.11.4
  • apple macosx 10.11.5
  • apple macosx 10.11.6
  • apple macosx 10.12.0
  • apple macosx 10.12.1
  • apple macosx 10.12.2
  • apple macosx 10.12.3
  • apple macosx 10.12.4
  • apple macosx 10.12.5
  • apple macosx 10.12.6
  • apple macosx 10.13
  • apple macosx 10.13.0
  • apple macosx 10.13.1
  • apple macosx 10.13.2
  • apple macosx 10.13.3
  • canonical ubuntu_linux 14.04
  • canonical ubuntu_linux 16.04
  • canonical ubuntu_linux 17.10
  • debian debian_linux 7.0
  • debian debian_linux 8.0
  • debian debian_linux 9.0
  • redhat enterpriselinuxserver 7.0
  • redhat enterpriselinuxworkstation 7.0
  • redhat enterprisevirtualizationmanager 3.0
  • xen xen -

Ease of attack

CVE-2018-8897:

Access Vector

Access Complexity

Authentication

False positives

False negatives

Corrective action

Contributors

  • Cisco's Talos Intelligence Group

Additional References