Heads Up On Microsoft Security Bulletin MS11-047: Vulnerability in Hyper-V Could Allow Denial of Service (KB2525835)

Well, it’s patch Tuesday again, and here’s a quick heads up to all people using Hyper-V.  I would like to point your attention to http://www.microsoft.com/technet/security/bulletin/MS11-047.mspx.  This security bulletin deals with a vulnerability in Hyper-V that could allow a denial of service as mentioned in knowledge base article 2525835 which can be found here http://support.microsoft.com/kb/2525835. As you can read the severity rating is important, not critical. If you want to manually download the update you can get it here: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c9c6c36d-a455-42f7-b7d4-9fb9824c07cb

This is, if I’m not mistaken, only the third security fix for Hyper-V since the Windows 2008 era. That is not a bad track record at all! Now look at the information available under mitigating factors:  An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users. Now that isn’t too much to ask from your virtualization infrastructure I hope. If it is, we need to talk. As the time of writing, no known exploits are out in the wild.

So review this and plan to deploy this at your earliest available maintenance windows. When you’re running a cluster with Live Migration you can do this with no downtime for the guests what so ever as it requires a restart.

5 thoughts on “Heads Up On Microsoft Security Bulletin MS11-047: Vulnerability in Hyper-V Could Allow Denial of Service (KB2525835)

    • Hi,
      Thanks for the feedback, but I’m not certain I understand you correctly?

      a) Why would it be too much to ask not to allow non authorized users to log on localy on your hyper-visor? I hope your customers don’t let their customers log on locally on your or their hyper visor?

      b) That’s the proof of concept yes, I do not see mention of public attack code being out there?


      • (a) the crash can be triggered by local users on virtual guest machines; if it required a local login on the hypervisor itself, it certainly wouldn’t be that interesting
        (b) a proof of concept that works is, to me, indistuingishable from public attack code. Anyone can compile it and get a working crashhyperv.exe

        • Hi there,

          a) True. Hence patch it. This risk is always true whenever someone logs on to machine, they can run code and if you can not control what code they run you’re at risk.
          b) That’s why any patch is the same as releasing the potential for creating an exploit app by reverse engeneering and why it wasn’t diclosed until the patch was released. Chicken and Egg. You need to patch asap, the difference between the information being out there and an active exploit is nowadays potentially non existent.

          Patching is a fact of life in IT, just like in real life vaccins, medicens and innoculations are 🙂

  1. Hi!! Someone could compile that code? I’ve trying a lot, but it doesn’t work 🙁
    I have an error in this line NtSystemDebugControl = GetProcAddress( GetModuleHandle(“ntdll.dll”), “NtSystemDebugControl” ) convertion problem, please help.

Leave a Reply, get the discussion going, share and learn with your peers.

This site uses Akismet to reduce spam. Learn how your comment data is processed.