This issue was discovered by Drew Hester of Trustwave and is described in the following blog post: Cluster Shared Volumes Denial of Service Vulnerability. Cluster Shared Volumes (CSVs) are a feature that allows multiple Windows Servers to access and share the same storage volume. The storage volume can be a hard drive, a RAID, or a networked storage device. Windows Server 2012 R2 and Windows Server 2016 include a feature called “Cluster Shared Volumes” that creates a logical unit called a “Cluster Shared Volume” on each server. A Cluster Shared Volume can be used for shared file storage. When you add a new disk to a Windows Server, the system creates a Cluster Shared Volume on that disk. There are a couple of ways that a user can access a Cluster Shared Volume. The first is through RDMs (Remote Desktop Services) or by using Storage Spaces. Another way that a user can access a Cluster Shared Volume is by using a CSV (Cluster Shared Volume). When a user accesses a Cluster Shared Volume, Windows Server creates a virtual channel between the user’s process and the Cluster Shared Volume. When you have a large number of users accessing a Cluster Shared Volume, the number of connections can create a DOS (Denial of Service) condition. To exploit this issue, an attacker would need to target a server running Windows Server and have the user access a CSV. An attacker could then generate a large number of connections to
Description of Issue
A Cluster Shared Volume is a logical unit, which looks like a regular disk, that can be used for shared file storage. When you have new disks, Windows Server creates a Cluster Shared Volume on each one. A Cluster Shared Volume can be used by Remote Desktop Services (RDMs) or Storage Spaces to access it. When a user accesses a Cluster Shared Volume over RDMs or Storage Spaces, Windows creates virtual channels between the user’s process and the Cluster Shared Volume. The size of these virtual channels can create a DOS condition when you have a large number of connections to the CSV. These connections are created by users who access their own CSV through Remote Desktop Services or Storage Spaces. An attacker would need to target systems and users running Windows Server 2012 R2 and Windows Server 2016 and convince them to connect to their own CSVs in order for this issue to be exploited.
Cluster Shared Volumes Denial of Service Vulnerability – Technical Details
In order to create a Cluster Shared Volume, Windows Server creates a virtual channel between the user’s process and the Cluster Shared Volume. When you have a large number of users accessing a Cluster Shared Volume, the number of connections can create a DOS (Denial of Service) condition. To exploit this issue, an attacker would need to target a server running Windows Server and have the user access a CSV. An attacker could then generate a large number of connections to the CSV and cause it to crash.
The vulnerability has been assigned CVE-2022-26784 and is described in more detail in the following blog post: Cluster Shared Volumes Denial of Service Vulnerability.
Cluster Shared Volumes Denial of Service Vulnerability
The Cluster Shared Volumes Denial of Service Vulnerability is a vulnerability in the Windows Server 2012 R2 and Windows Server 2016. This vulnerability can be exploited via a malicious user using a CSV (Cluster Shared Volume) to generate a large number of connections between the attacker’s process and the server. The vulnerability originates from an issue when adding new disks to a Windows Server, which creates a Cluster Shared Volume on that disk. An attacker could then create an overwhelming number of connections to the CSV, which would cause the server to crash.
Timeline
Published on: 04/15/2022 19:15:00 UTC
Last modified on: 04/25/2022 16:26:00 UTC