Aperçu
A remote code execution vulnerability in Microsoft Hyper-V RemoteFX vGPU component caused by improper input validation. An authenticated guest user with access to a Hyper-V virtual machine can execute arbitrary code on the host server. This vulnerability bridges the VM boundary and allows guest-to-host privilege escalation. La vulnérabilité a été divulguée le July 14, 2020. CISA a identifié CVE-2020-1040 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
The vulnerability exists in the RemoteFX vGPU (virtual GPU) component of Microsoft Hyper-V. When RemoteFX is enabled, it allows guests to use graphics hardware on the host through network protocols. The vulnerability stems from improper validation of input data in the RemoteFX protocol handling code. An authenticated user running code on a guest virtual machine can craft malicious input that bypasses validation checks, leading to memory corruption and arbitrary code execution with the privileges of the Hyper-V host process (typically SYSTEM level).
La vulnérabilité est classifiée comme CWE-20 (Improper Input Validation) etCWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 8.8 (HIGH) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, indiquant sa nature high.
Impact
An authenticated guest user can execute arbitrary code on the Hyper-V host with elevated privileges (SYSTEM/NT AUTHORITY\SYSTEM level). This breaks the isolation boundary between guest and host, allowing complete compromise of the host system, including access to other virtual machines, host resources, and sensitive data. An attacker could install malware, exfiltrate data, pivot to other systems on the network, or launch attacks against other guests.
Mitigation et contournements
Install the March 10, 2020 cumulative security update from Windows Update or Microsoft Update Catalog. The fix is available in KB4551853 and subsequent cumulative updates. Users can obtain patches via: 1) Windows Update/Microsoft Update automatic installation, 2) Manual download from Microsoft Update Catalog (https://catalog.update.microsoft.com), 3) Enterprise deployment tools (WSUS, Configuration Manager) Les versions suivantes incluent les correctifs nécessaires : Windows Server 2012 R2 - KB4551853, Windows Server 2016 - KB4551853, Windows Server 2019 - KB4551853, Windows 10 v1909 - KB4551853, Windows 10 v1903 - KB4551853, Windows 10 v1809 - KB4551853, Windows 10 v1803 - KB4551853.
Comme contournements temporaires : disable remotefx vgpu on hyper-v hosts if not required. this can be done via hyper-v manager: remove remotefx 3d video adapter from virtual machines and disable the remotefx feature on the host.; restrict guest user privileges and limit authenticated access to virtual machines. remove or limit user accounts with privileges to execute code on guest systems.; isolate hyper-v hosts in trusted network zones and implement strict network access controls to limit connectivity between untrusted guests and production hosts., et use host guardian service (hgs) and shielded vms to provide additional isolation and attestation controls..
Recommandation de CISA : Apply updates per vendor instructions.
Ressources additionnelles
Source : Ce rapport a été généré par IA
