On July 14, 2015 Microsoft released a Critical Hotfix for Hyper-V Servers. The details are a bit vague right now, but it seems that if a Guest has elevated rights with the right tools they can gain access to the Host’s Parent Partition. For obvious reasons this isn’t good and as such all Hyper-V Farms should be patched immediately.

It appears that there are two issues:

#1 – Hyper-V Buffer Overflow Vulnerability –CVE-2015-2361

A remote code execution vulnerability exists in Windows Hyper-V in a host context if an authenticated and privileged user on a guest virtual machine hosted by Hyper-V runs a specially crafted application.

To exploit this vulnerability, an attacker must have valid logon credentials for a guest virtual machine. Systems where Windows Hyper-V is installed are primarily at risk. The security update addresses the vulnerability by correcting how Hyper-V handles packet size memory initialization in guest virtual machines.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

 

#2 – Hyper-V System Data Structure Vulnerability – CVE-2015-2362

A remote code execution vulnerability exists in Windows Hyper-V in a host context if an authenticated and privileged user on a guest virtual machine hosted by Hyper-V runs a specially crafted application.

To exploit this vulnerability, an attacker must have valid logon credentials for a guest virtual machine. Systems where Windows Hyper-V is installed are primarily at risk. The security update addresses the vulnerability by correcting how Hyper-V initializes system data structures in guest virtual machines.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was originally issued Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

This update is available through the following:

 

Method 1: Windows Update

This update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see Get security updates automatically.

Note For Windows RT 8.1, this update is available through Windows Update only.

Method 2: Microsoft Download Center

You can obtain the stand-alone update package through the Microsoft Download Center. Follow the installation instructions on the download page to install the update.

Click the download link in Microsoft Security Bulletin MS15-068 that corresponds to the version of Windows that you are running.

It appears from the list below that almost every Hyper-V Version is impacted by this threat.

 

Operating System
Maximum Security Impact
Aggregate Severity Rating
Updates Replaced
Windows Server 2008
Windows Server 2008 for x64-based Systems Service Pack 2(3046339) Remote Code Execution Critical None
Windows Server 2008 R2
Windows Server 2008 R2 for x64-based Systems Service Pack 1(3046339) Remote Code Execution Critical None
Windows 8 and Windows 8.1
Windows 8 for x64-based Systems(3046339) Remote Code Execution Critical None
Windows 8.1 for x64-based Systems(3046339) Remote Code Execution Critical None
Windows 8.1 for x64-based Systems(3046359) Remote Code Execution Critical None
Windows Server 2012 and Windows Server 2012 R2
Windows Server 2012(3046339) Remote Code Execution Critical None
Windows Server 2012 R2(3046339) Remote Code Execution Critical None
Windows Server 2012 R2(3046359) Remote Code Execution Critical None
Server Core installation option
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(3046339)
Remote Code Execution Critical None
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(3046339)
Remote Code Execution Critical None
Windows Server 2012 (Server Core installation)
(3046339)
Remote Code Execution Critical None
Windows Server 2012 R2 (Server Core installation)
(3046339)
Remote Code Execution Critical None
Windows Server 2012 R2 (Server Core installation)
(3046359)
Remote Code Execution Critical None

 

 

 

Folks remember to patch your Hyper-V Servers the same as any other workload. You could force the update down manually with the hotfix, WSUS, SCCM, or our Patch Solution http://patchsolution.codeplex.com

 

Stay safe everyone!

 

Dave

Advertisements