An exploit has now emerged for a weak point in the Hyper-V virtualization solution. Microsoft had classified the security problem as uncritical as there was no evidence that the vulnerability was being exploited. That is changing now.
Günter Born reports on his blog. A security update for the “Hyper-V Remote Code Execution Vulnerability – CVE-2021-2847” was released on May Patch Day. A proof-of-concept for the vulnerability was published on Github. This enabled the security researcher Axel Souchet to exploit the error. The newer Windows 10 versions 2004 and 20H2 and their server variants are affected. Souchet showed the exploit on Twitter and made further information available on Github.
To explain what is triggered by the vulnerability, Microsoft has added to the FAQ on the reported security vulnerability and writes :
- In what circumstances could this vulnerability be exploited other than through a denial of service attack against a Hyper-V host?
- This problem allows a guest VM to force the Hyper-V host’s kernel to read from any potentially invalid address. The content of the address read would not be returned to the guest VM. Under most circumstances, this would lead to a refusal of service by the Hyper-V host (bug check) due to reading an unassigned address. It is possible to read from a device register mapped in memory that corresponds to a hardware device attached to the Hyper-V host, which can trigger additional hardware device-specific side effects that could compromise the security of the Hyper-V host.
Administrators should act accordingly to address the remote code execution vulnerability. The exploit shows how manipulated files could otherwise take over the host system via Hyper-V virtualization. Windows Remote Management (WinRM) and Web Services on Devices (WSDAPI) are also affected by the problem. As far as is known, there is no active exploitation of the security hole (yet).