[German]There is a remote code execution vulnerability (CVE-2021-28476) in Microsoft's Hyper-V virtualization solution that allows a guest-to-host attack. Microsoft provided security updates in May 2021, so the vulnerability could be closed. Now a security researcher has published a proof of concept (PoC) for the vulnerability in vmswitch.sys.
Hyper-V vulnerability CVE-2021-28476
is Microsoft's virtualization technology built into Windows Server (and also clients starting with Windows 8). The CVE-2021-28476 vulnerability in the Hyper-V module vmswitch.sys allows remote code execution from the guest operating system on the host. Microsoft writes about the vulnerability:
This issue allows a guest VM to force the Hyper-V host's kernel to read from an arbitrary, potentially invalid address. The contents of the read address would not be returned to the guest VM. Under most circumstances, this would result in a denial of service from the Hyper-V host (bugcheck, i.e., bluescreen) due to reading an unassigned address. However, it is possible to read from a device register mapped in memory that corresponds to a hardware device attached to the Hyper-V host, which could trigger additional hardware device-specific side effects that could compromise the security of the Hyper-V host.
The vulnerability received a CVSS score of 8.6, and Microsoft has released security updates for Windows clients from Windows 7 SP1 to Windows 10 version 1607, and Windows Server 2008 R2 to Windows Server 2016, as of May 11, 2021 (see also list of links at end of article).
Proof of Concept for CVE-2021-28476
Axel Souchet has written an exploit as a proof of concept that demonstrates this remote code execution from the Hyper-V guest system on the host, as he announced in the following tweet.
Details may be found on Github – administrators should install the May 2021 security updates on the affected machines if they have not already done so.
Cookies helps to fund this blog: Cookie settings