May 31, 2023

Details about a vulnerability that affects Hyper-V, Microsoft’s native hypervisor for creating virtual machines on Windows systems and in the Azure cloud computing environment available for reference. Tracked as CVE-2021-28476, the security issue has a critical severity score of 9.9 out of 10. Exploiting it on unpatched machines can have a devastating impact as it allows crashing the host through DOS Attack or execute arbitrary code on it.

Hyper-V’s network switch driver vmswitch.sys has the bug that affects Windows 10 and Windows Server 2012 through 2019. During patch Tuesday May 2021, this vulnerability received an update.

The flaw stems from the fact that Hyper-V’s virtual switch (vmswitch) does not validate the value of an OID (object identifier) request that is intended for a network adapter (external or connected to vmswitch). An OID request can include hardware offloading, Internet Protocol security (IPsec), and single root I/O virtualization (SR-IOV) requests.

Processing OID requests, vmswitch traces their content for logging and debugging purposes. This also applies to OID_SWITCH_NIC_REQUEST.  Due to its encapsulated structure, vmswitch needs to have special handling of this request and dereference OID Request to trace the inner request as well. Validation failure occurs which could lead to an attacker successfully leveraging this vulnerability needs to have access to a guest VM and send a specially crafted packet to the Hyper-V host.

The result can be either crashes the host and terminate all the VMs running on top of it, or gaining remote code execution on the host, which gives complete control over it and the attached VMs.

For now azure service is safe from this issue, local Hyper-V deployments are likely still vulnerable as not all admins update Windows machines when patches come out.

Regular patching cycle and scanning for frequent missing patches will get rid of critical issues.

Leave a Reply

%d bloggers like this: