Home / About / Threat Intelligence / SECURITY GUIDANCE - Hyper-V Remote Code Execution (CVE-2021-28476)

Overview

The vulnerability allows a Hyper-V guest to force the host’s kernel to read from from an arbitrary, potentially invalid memory address space. The issue stems from a failure within Hyper-V’s virtual switch (vmswitch) to validate Object Identifier (OID) requests. An OID request can include hardware offloading (referencing the memory address space of hardware objects).

Impact

An attacker could send a specially crafted packet from the Hyper-V guest to the Hyper-V host causing either the crashing of the host (creating and denial of service) or gaining Remote Code Execution (RCE) on the Hyper-V host, which would latterly give them access to all other attached VMs.

Are my systems vulnerable?

Azure services are safe. However for on-premise implementations: An attacker would need to gain access to a Hyper-V guest in order to carry out this attack.

Affected Products

  • Windows Server 2008 SP2
  • Windows Server 2008 R2 SP1
  • Windows 7 SP1
  • Windows 8.1
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows 10
  • Windows Server 2016
  • Windows Server 2019

Vulnerability Detection

Omission of KB500317 from the patch set of the Hyper-V host.

Containment, Mitigations & Remediations

Microsoft released a patch in May 2021 however uptake appears to have been slow.

Indicators of Compromise

N/A

Threat Landscape

Although there is no known “in-the-wild” exploit, the vulnerability is gaining increased attention: the security researchers who discovered it, and responsibly disclosed it to Microsoft, have made more information about the vulnerability public thus increasing the likelihood of exploit by malicious actors.

Further Information

https://www.bleepingcomputer.com/news/security/critical-microsoft-hyper-v-bug-could-haunt-orgs-for-a-long-time/
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28476
https://support.microsoft.com/en-gb/topic/may-11-2021-kb5003171-os-build-17763-1935-3f03e74b-4759-4ca3-b9f1-4bc0d5ab5d27

Quorum Cyber Managed Services Response (Customer Communications Only)
Quorum Cyber Managed Services are contacting customers who may be affected by this vulnerability to allow them time patch before an active exploit becomes available.