Response to CVE Security Alert CVE-2018-8897
Almost every major operating system, with the exception of OpenVMS, has been discovered to be vulnerable to attack due to a misinterpreted Intel CPU debug feature. A number of these other OS vendors have released, or are planning the release, of appropriate patches.
VSI OpenVMS is NOT vulnerable to this issue, primarily due to its different, four-mode architecture. Specifically, VSI OpenVMS is protected against CVE-2018-8897 because it does two things differently than other operating systems:
1) OpenVMS doesn’t rely on the CS pushed in the interrupt stack frame to determine the previous mode. This means OpenVMS cannot be tricked into believing it was already in kernel mode when it was not, which is central to this vulnerability.
2) OpenVMS uses a different method to switch GSBASE; OpenVMS always performs the switch and makes sure the user-mode GSBASE is always updated to match the kernel-mode GSBASE.