{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2021-042.pdf"
    },
    "title": "Critical Vulnerability in Microsoft Hyper-V",
    "serial_number": "2021-042",
    "publish_date": "29-07-2021 19:23:00",
    "description": "On May 11, Microsoft published a security update guide about a critical Hyper-V Remote Code Execution Vulnerability, tracked as \"CVE-2021-28476\" with a CVSS score of 9.9. The exploitation of this vulnerability can lead to denial of service conditions or remote code execution. A proof of concept for this vulnerability is now publicly available.",
    "url_title": "2021-042",
    "content_markdown": "---\ntitle: 'Critical Vulnerability in Microsoft Hyper-V'\nversion: '1.0'\nnumber: '2021-042'\ndate: 'July 29, 2021'\n---\n\n_History:_\n\n* _29/07/2021 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn May 11, Microsoft published a security update guide about a critical Hyper-V Remote Code Execution Vulnerability, tracked as `CVE-2021-28476` with a CVSS score of 9.9 [1]. The exploitation of this vulnerability can lead to denial of service conditions or remote code execution [2]. A proof of concept for this vulnerability is now publicly available [3].\n\n# Technical Details\n\nThe vulnerability\u00a0`CVE-2021-28476` relies on Hyper-V\u2019s virtual switch (_vmswitch_) that does not validate the value of an object identifier request that is intended for a network adapter. \n\nAttackers need to have access to a guest virtual machine to exploit this vulnerability, and from there, send a specially crafted packet to the Hyper-V host. The exploitation of this vulnerability can lead to the crash of the host, or to remote code execution on the host and on the virtual machines attached to it. [2]\n\n# Affected Products\n\n- Windows Server\u00a02012 R2 (Server Core installation)\n- Windows Server\u00a02012 R2\n- Windows Server\u00a02012 (Server Core installation)\n- Windows Server\u00a02012\n- Windows Server\u00a02008 R2 for x64-based Systems Service Pack 1 (Server Core installation)\n- Windows Server\u00a02008 R2 for x64-based Systems Service Pack\u00a01\n- Windows Server\u00a02008 for x64-based Systems Service Pack\u00a02 (Server Core installation)\n- Windows Server\u00a02008 for x64-based Systems Service Pack\u00a02\n- Windows\u00a08.1 for x64-based systems\n- Windows\u00a07 for x64-based Systems Service Pack\u00a01\n- Windows Server\u00a02016 (Server Core installation)\n- Windows Server\u00a02016\n- Windows\u00a010 Version\u00a01607 for x64-based Systems\n- Windows\u00a010 for x64-based Systems\n- Windows Server, version 20H2 (Server Core Installation)\n- Windows\u00a010 Version 20H2 for x64-based Systems\n- Windows Server, version\u00a02004 (Server Core installation)\n- Windows\u00a010 Version\u00a02004 for x64-based Systems\n- Windows Server, version\u00a01909 (Server Core installation)\n- Windows\u00a010 Version\u00a01909 for x64-based Systems\n- Windows Server\u00a02019 (Server Core installation)\n- Windows Server\u00a02019\n- Windows\u00a010 Version\u00a01809 for x64-based Systems\n- Windows\u00a010 Version\u00a01803 for x64-based Systems\n\n# Recommendations\n\nMicrosoft recommends to apply Monthly Rollup or Security Update depending on the running version of Windows. [1]\n\nCERT-EU also recommends updating the vulnerable systems as soon as possible.\n\n# References\n\n[1] <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28476>\n\n[2] <https://www.bleepingcomputer.com/news/security/critical-microsoft-hyper-v-bug-could-haunt-orgs-for-a-long-time/>\n\n[3] <https://github.com/0vercl0k/CVE-2021-28476>\n\n\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>29/07/2021 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On May 11, Microsoft published a security update guide about a critical Hyper-V Remote Code Execution Vulnerability, tracked as <code>CVE-2021-28476</code> with a CVSS score of 9.9 [1]. The exploitation of this vulnerability can lead to denial of service conditions or remote code execution [2]. A proof of concept for this vulnerability is now publicly available [3].</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability\u00a0<code>CVE-2021-28476</code> relies on Hyper-V\u2019s virtual switch (<em>vmswitch</em>) that does not validate the value of an object identifier request that is intended for a network adapter. </p><p>Attackers need to have access to a guest virtual machine to exploit this vulnerability, and from there, send a specially crafted packet to the Hyper-V host. The exploitation of this vulnerability can lead to the crash of the host, or to remote code execution on the host and on the virtual machines attached to it. [2]</p><h2 id=\"affected-products\">Affected Products</h2><ul><li>Windows Server\u00a02012 R2 (Server Core installation)</li><li>Windows Server\u00a02012 R2</li><li>Windows Server\u00a02012 (Server Core installation)</li><li>Windows Server\u00a02012</li><li>Windows Server\u00a02008 R2 for x64-based Systems Service Pack 1 (Server Core installation)</li><li>Windows Server\u00a02008 R2 for x64-based Systems Service Pack\u00a01</li><li>Windows Server\u00a02008 for x64-based Systems Service Pack\u00a02 (Server Core installation)</li><li>Windows Server\u00a02008 for x64-based Systems Service Pack\u00a02</li><li>Windows\u00a08.1 for x64-based systems</li><li>Windows\u00a07 for x64-based Systems Service Pack\u00a01</li><li>Windows Server\u00a02016 (Server Core installation)</li><li>Windows Server\u00a02016</li><li>Windows\u00a010 Version\u00a01607 for x64-based Systems</li><li>Windows\u00a010 for x64-based Systems</li><li>Windows Server, version 20H2 (Server Core Installation)</li><li>Windows\u00a010 Version 20H2 for x64-based Systems</li><li>Windows Server, version\u00a02004 (Server Core installation)</li><li>Windows\u00a010 Version\u00a02004 for x64-based Systems</li><li>Windows Server, version\u00a01909 (Server Core installation)</li><li>Windows\u00a010 Version\u00a01909 for x64-based Systems</li><li>Windows Server\u00a02019 (Server Core installation)</li><li>Windows Server\u00a02019</li><li>Windows\u00a010 Version\u00a01809 for x64-based Systems</li><li>Windows\u00a010 Version\u00a01803 for x64-based Systems</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Microsoft recommends to apply Monthly Rollup or Security Update depending on the running version of Windows. [1]</p><p>CERT-EU also recommends updating the vulnerable systems as soon as possible.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28476\">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28476</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/critical-microsoft-hyper-v-bug-could-haunt-orgs-for-a-long-time/\">https://www.bleepingcomputer.com/news/security/critical-microsoft-hyper-v-bug-could-haunt-orgs-for-a-long-time/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://github.com/0vercl0k/CVE-2021-28476\">https://github.com/0vercl0k/CVE-2021-28476</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}