Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
Released: Jul 14, 2020
- Assigning CNA
- Microsoft
- CVE.org link
- CVE-2020-1041
Executive Summary
A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system, attacking certain third-party video drivers running on the Hyper-V host. This could then cause the host operating system to execute arbitrary code.
An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.
There is no patch to fix this vulnerability, and the update listed will forcibly disable RemoteFX when applied. More information can be found in the FAQ below.
The software listed in the Security Updates table indicates those operating systems for which RemoteFX vGPU is currently available. RemoteFX vGPU has been deprecated in Windows Server 2019 and customers are advised to use Discrete Device Assignment (DDA) instead of RemoteFX vGPU. DDA was introduced in Windows Server 2016.
Exploitability
The following table provides an exploitability assessment for this vulnerability at the time of original publication.
- Publicly disclosed
- No
- Exploited
- No
- Exploitability assessment
- Exploitation Less Likely
FAQ
How do I know if I'm using RemoteFX?
Please review the information here to determine if you are using RemoteFX.
How can I protect my server from this vulnerability?
If you are running Windows Server 2016 or Windows Server 2019, we recommend you use Discrete Device Assignment (DDA) as opposed to RemoteFX vGPU to enable graphics virtualization. If you are running windows Server 2012 R2 or older, we recommend not using RemoteFX vGPU. Please see Plan for GPU acceleration in Windows Server for more information.
What steps should I take if RemoteFX is required in my environment?
Customers who require RemoteFX in their environment can review the information here.
Where can I find more information about the deprecation of RemoteFX?
- Features removed or planned for replacement starting Windows Server 2019
- Features removed or planned for replacement starting with Windows Server, version 1803
Why is Microsoft planning to disable and remove RemoteFX instead of fixing the vulnerability?
In October 2019, Microsoft announced that we were stopping development of Remote FX and building new functionality. For Windows 10 version 1809 and higher, and Windows Server 2019, RemoteFX vGPU is no longer supported or actively developed. Since these newly identified vulnerabilities are architectural in nature, and the feature is already deprecated on newer versions of Windows, Microsoft has determined that disabling and removing RemoteFX is a better course of action. Microsoft has developed a different platform that is inherently much more secure. Please see Plan for GPU acceleration in Windows Server for more information.
Acknowledgements
- Discovered by Piotr Bania of Cisco Talos
Security Updates
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.
Disclaimer
Revisions
Information published.