Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Researchers Publish Details on Recent Critical Hyper-V Vulnerability

Security researchers at Guardicore Labs are sharing details of a critical vulnerability in Hyper-V that Microsoft patched in May 2021.

Security researchers at Guardicore Labs are sharing details of a critical vulnerability in Hyper-V that Microsoft patched in May 2021.

Tracked as CVE-2021-28476 with a CVSS score of 9.9, the security vulnerability impacts Hyper-V’s virtual network switch driver (vmswitch.sys) and could be exploited to achieve remote code execution or cause a denial of service condition.

Hyper-V is a native hypervisor that provides virtualization capabilities for both desktop and cloud systems, and which Microsoft uses as the underlying virtualization technology for Azure.

The security issue that Guardicore Labs (in collaboration with SafeBreach Labs) discovered was likely in production for more than a year, as it first appeared in a vmswitch build in August 2019. The vulnerability affects Windows 7, 8.1 and 10 and Windows Server 2008, 2012, 2016 and 2019.

An attacker with an Azure virtual machine could exploit the security bug by sending a crafted packet to the Hyper-V host. This could have resulted in the attacker running code on the Hyper-V host and potentially taking down entire regions of the cloud.

[ Related: Microsoft Patches 3 Under-Attack Windows Zero-Days ]

“Hyper-V is Azure’s hypervisor; for this reason, a vulnerability in Hyper-V entails a vulnerability in Azure, and can affect whole regions of the public cloud. Triggering denial of service from an Azure VM would crash major parts of Azure’s infrastructure and take down all virtual machines that share the same host,” according to a Guardicore Labs report.

An attacker capable of exploiting the vulnerability to achieve remote code execution – a more complex exploitation chain – could take control over the host and the VMs running on it, thus having access to sensitive information and being able to run malicious payloads or perform other nefarious operations, the security researchers say.

The issue exists because, when processing OID requests, vmswitch doesn’t validate the value of the request, and may dereference an invalid pointer.

Advertisement. Scroll to continue reading.

Guardicore Labs says that there are two exploitation scenarios, one where an invalid pointer leads to the Hyper-V host crashing, and another where the host’s kernel would read from a memory-mapped device register, thus leading to code execution.

“What made this vulnerability so lethal is the combination of a hypervisor bug – an arbitrary pointer dereference – with a design flaw allowing a too-permissive communication channel between the guest and the host,” the researchers added.

Related: Microsoft Patches 3 Under-Attack Windows Zero-Days

Related: ‘Siloscape’ Malware Targets Windows Server Containers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...