Critical Bug in Azure Hyper-V

When it comes to security it seems that Microsoft will not lift its head from this term, as till now, it seems that 2021 is not the best year for Microsoft in terms of security.

Microsoft is currently facing back-to-back hits of security flaws, among them some are severe, and some bit moderate. While this time, the security researchers, Ophir Harpaz of Guardicore and Peleg Hadar of SafeBreach have detected critical vulnerability in Azure Hyper-V.

This new security flaw allows any threat actor to lock vulnerable PCs by performing RCE (Remote Code Execution) and DOS attacks on them.

Guardicore Labs’ Ophir Harpaz and SafeBreach Labs’ Peleg Hadar have identified the flaw with the following identifier and also evaluated the CVSS score:-

  • CVE ID: CVE-2021-28476
  • CVSS Score: 9.9 out of 10
  • Severity: High

Apart from this both the security researchers stated the following statement regarding this flaw in Azure Hyper-V:-

“Hyper-V is Azure’s hypervisor; for this reason, a vulnerability in Hyper-V entails a vulnerability in Azure, and can affect whole regions of the public cloud. Triggering denial of service from an Azure VM would crash major parts of Azure’s infrastructure and take down all virtual machines (VM) that share the same host.”

Eliminate the VMs or take complete command

In the Hyper-V’s network switch driver (vmswitch.sys) this critical vulnerability was detected and it affects the following version of Windows:-

  • Windows 10
  • Windows Server 2012 through 2019

Not only that even during the investigation, but the cybersecurity experts also discovered that an in-house developed fuzzer which is dubbed hAFL1 was used by this critical bug.

While this hypervisor is the key which is responsible for the functioning of platforms like Docker, and even for some functions of the OS, such as the Windows subsystem for Linux, WSL, to function equally without any issues.

The security analysts, Ophir Harpaz and Peleg Hadar together discovered this critical vulnerability, and they reported this critical flaw to Microsoft privately.

Moreover, this vulnerability in Hyper-V virtual switch doesn’t validate the OID (object identifier). In short, like this, an attacker who had access to a VM created within a Windows 10 or Windows Server could easily send a packet to this driver and communicate directly with the host system.

As a result, they manage to block the entire server or gain full control over it and all other virtual machines (VMs).

Business organizations are slow to patch

The Azure service is safe from this security flaw since Microsoft has already patched this vulnerability, but, still, there are some local Hyper-V deployments that are vulnerable to this security flaw.

This happens due to the slow movement of users and business organizations, as in this case, the maximum number of admins do not update their Windows PCs on time when the patches are released.

While apart from this, the security experts explained that “CVE-2021-28476” is a type of critical bug that transparently illustrates the risk factors that could be brought by the shared resource models.

What it justifies is that a simple bug could lead to disastrous results like RCE (Remote code execution) and DoS (Denial of service) attacks.

That’s why security analysts have strongly recommended users and organizations follow proper security habits, security practices, and segmentation to prevent such attacks and being exploited by attackers.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.