Critical flaw in Microsoft Hyper-V could allow RCE and DoS

Experts disclose details about a critical flaw in Microsoft Hyper-V, tracked as CVE-2021-28476, that can allow executing arbitrary code on it.

Researchers Peleg Hadar of SafeBreach and Ophir Harpaz of Guardicore disclose details about a critical flaw in Microsoft Hyper-V, tracked as CVE-2021-28476, that can allow triggering a DoS condition ot executing arbitrary code on it.

The flaw resides in Microsoft Hyper-V’s network switch driver (vmswitch.sys), it affects Windows 10 and Windows Server 2012 through 2019.

The CVE-2021-28476 flaw has a critical severity score of 9.9 out of 10, it was addressed by Microsoft in May.

“This issue allows a guest VM to force the Hyper-V host’s kernel to read from an arbitrary, potentially invalid address. The contents of the address read would not be returned to the guest VM. In most circumstances, this would result in a denial of service of the Hyper-V host (bugcheck) due to reading an unmapped address. It is possible to read from a memory mapped device register corresponding to a hardware device attached to the Hyper-V host which may trigger additional, hardware device specific side effects that could compromise the Hyper-V host’s security.” reads the advisory published by the company.

vmswitch fails to validate the value of an OID (object identifier) request that is intended for a network adapter.

An attacker could exploit this vulnerability by sending a specially crafted packet from a guest virtual machine to the Hyper-V host.

“Some OID requests are destined to the external network adapter, or other network adapters connected to vmswitch. Such OID requests include, for example, hardware offloading, Internet Protocol security (IPsec) and single root I/O virtualization (SR-IOV) requests.” reads the post published by Guardicore. de “r””

“While processing OID requests, vmswitch traces their content for logging and debugging purposes; this also applies to OID_SWITCH_NIC_REQUEST. However, due to its encapsulated structure, vmswitch needs to have special handling of this request and dereference OidRequest to trace the inner request as well. The bug is that vmswitch never validates the value of OidRequest and can thus dereference an invalid pointer.”

Harpaz and Hadar will present the findings of their analysis at the next Black Hat security conference on August 4.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Babuk ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.