Guardicore Labs are Sharing Details of a Critical Vulnerability in Hyper-V


Microsoft addressed a significant vulnerability in Hyper-V in May 2021, according to security experts at Guardicore Labs.

The security vulnerability, identified as CVE-2021-28476 with a CVSS score of 9.9, affects Hyper-virtual V’s network switch driver (vmswitch.sys) and might be used to gain remote code execution or create a denial of service scenario.

Microsoft employs Hyper-V as the core virtualization technology for Azure. Hyper-V is a native hypervisor that provides virtualization features for both desktop and cloud systems.

Because it first surfaced in a vmswitch build in August 2019, the security flaw found by Guardicore Labs (in partnership with SafeBreach Labs) was likely in production for more than a year. Windows 7, 8.1, and 10 are all affected, as well as Windows Server 2008, 2012, 2016, and 2019.

By delivering a forged packet to the Hyper-V host, an attacker with an Azure virtual machine might exploit the security flaw. As a result, the attacker might have run code on the Hyper-V host, potentially bringing down entire cloud regions.

“Because Hyper-V is Azure’s hypervisor, a vulnerability in Hyper-V also affects Azure, and can compromise entire regions of the public cloud. According to a Guardicore Labs research, “triggering denial of service from an Azure VM would crash significant elements of Azure’s infrastructure and knock down all virtual machines that share the same host.”

According to the security researchers, an attacker who is able to exploit the vulnerability to gain remote code execution – a more complex exploitation chain – could gain control of the host and the VMs running on it, gaining access to sensitive information and the ability to run malicious payloads or perform other nefarious operations.

The problem exists because vmswitch does not validate the value of OID requests before processing them, and so may dereference an invalid pointer.

According to Guardicore Labs, there are two exploitation scenarios: one in which an incorrect pointer causes the Hyper-V host to crash, and another in which the host’s kernel reads from a memory-mapped device register and executes code.

“What made this vulnerability so fatal was the combination of a hypervisor bug – an arbitrary pointer dereference – and a design defect allowing an overly permissive communication channel between the guest and the host,” the researchers explained.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.