Well, it’s patch Tuesday again, and here’s a quick heads up to all people using Hyper-V. I would like to point your attention to http://www.microsoft.com/technet/security/bulletin/MS11-047.mspx. This security bulletin deals with a vulnerability in Hyper-V that could allow a denial of service as mentioned in knowledge base article 2525835 which can be found here http://support.microsoft.com/kb/2525835. As you can read the severity rating is important, not critical. If you want to manually download the update you can get it here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c9c6c36d-a455-42f7-b7d4-9fb9824c07cb
This is, if I’m not mistaken, only the third security fix for Hyper-V since the Windows 2008 era. That is not a bad track record at all! Now look at the information available under mitigating factors: An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. Now that isn’t too much to ask from your virtualization infrastructure I hope. If it is, we need to talk. As the time of writing, no known exploits are out in the wild.
So review this and plan to deploy this at your earliest available maintenance windows. When you’re running a cluster with Live Migration you can do this with no downtime for the guests what so ever as it requires a restart.
(a) if a customer’s customer can crash my infrastructure, that *is* bad. So yes, it is too much too ask.
(b) an exploit was released on June 14th, details at http://www.coresecurity.com/content/hyperv-vmbus-persistent-dos-vulnerability
Hi,
Thanks for the feedback, but I’m not certain I understand you correctly?
a) Why would it be too much to ask not to allow non authorized users to log on localy on your hyper-visor? I hope your customers don’t let their customers log on locally on your or their hyper visor?
b) That’s the proof of concept yes, I do not see mention of public attack code being out there?
Cheers
(a) the crash can be triggered by local users on virtual guest machines; if it required a local login on the hypervisor itself, it certainly wouldn’t be that interesting
(b) a proof of concept that works is, to me, indistuingishable from public attack code. Anyone can compile it and get a working crashhyperv.exe
Hi there,
a) True. Hence patch it. This risk is always true whenever someone logs on to machine, they can run code and if you can not control what code they run you’re at risk.
b) That’s why any patch is the same as releasing the potential for creating an exploit app by reverse engeneering and why it wasn’t diclosed until the patch was released. Chicken and Egg. You need to patch asap, the difference between the information being out there and an active exploit is nowadays potentially non existent.
Patching is a fact of life in IT, just like in real life vaccins, medicens and innoculations are 🙂
Hi!! Someone could compile that code? I’ve trying a lot, but it doesn’t work 🙁
I have an error in this line NtSystemDebugControl = GetProcAddress( GetModuleHandle(“ntdll.dll”), “NtSystemDebugControl” ) convertion problem, please help.