CVE Number | Vulnerability | Product | Severity | Date |
---|---|---|---|---|
CVE-2020-1040 | Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability | Windows Server 2016 | Critical | 15-07-2020 |
Technical Information
Brief overview of the risk:
A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system, attacking certain third-party video drivers running on the Hyper-V host. This could then cause the host operating system to execute arbitrary code.
An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.
Detailed Information on the risk:
There is no patch to fix this vulnerability, and the update listed will forcibly disable RemoteFX when applied. More information can be found in the FAQ below.
The software listed in the Security Updates table indicates those operating systems for which RemoteFX vGPU is currently available. RemoteFX vGPU has been deprecated in Windows Server 2019 and customers are advised to use Discrete Device Assignment (DDA) instead of RemoteFX vGPU. DDA was introduced in Windows Server 2016.
Further information on this vulnerability is available at : CVE-2020-1040
Affected Software
Windows Server 2016Windows Server 2016 (Server Core installation)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)