CVE-2020-1040
published 2020-07-14CVE-2020-1040: A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user on a guest…
PriorityP184critical9CVSS 3.1
AVAACLPRLUINSCCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
6.90%
93.3th percentile
A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1032, CVE-2020-1036, CVE-2020-1041, CVE-2020-1042, CVE-2020-1043.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
| msrc | windows_server_2008_r2_for_x64-based_systems_service_pack_1 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploitation requires a specially crafted application run on a guest operating system targeting third-party video drivers on the Hyper-V host ↗
- →Affected component is Hyper-V RemoteFX vGPU; detection should focus on RemoteFX vGPU being enabled on Windows Server 2012 R2 and older, or Windows Server 2016 hosts ↗
- →Successful exploitation results in arbitrary code execution on the host operating system from a guest VM context — monitor for unexpected host-level process spawning originating from Hyper-V worker processes ↗
- ·There is no patch available for this vulnerability; Microsoft's mitigation is to forcibly disable RemoteFX vGPU via the update. Environments still requiring RemoteFX remain exposed. ↗
- ·RemoteFX vGPU is deprecated in Windows Server 2019 and higher; vulnerability only applies to systems where RemoteFX vGPU is still available and enabled (Windows Server 2016 and older). ↗
- ·Exploitation requires an authenticated user on a guest operating system, limiting the attack surface to environments with untrusted guest VM users. ↗
CVSS provenance
nvdv3.19.0CRITICALCVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.07.7HIGHAV:A/AC:L/Au:S/C:C/I:C/A:C
vulncheck9.0CRITICAL
cisa9.0CRITICAL
vendor_msrc8.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cwh6-w644-6v8q: A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user o
ghsa_unreviewed·2022-05-24·CVSS 9.0
CVE-2020-1036 [CRITICAL] GHSA-cwh6-w644-6v8q: A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user o
A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1032, CVE-2020-1040, CVE-2020-1041, CVE-2020-1042, CVE-2020-1043.
GHSA
GHSA-6jw7-r2qx-ffpf: A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user o
ghsa_unreviewed·2022-05-24·CVSS 9.0
CVE-2020-1043 [CRITICAL] GHSA-6jw7-r2qx-ffpf: A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user o
A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1032, CVE-2020-1036, CVE-2020-1040, CVE-2020-1041, CVE-2020-1042.
GHSA
GHSA-98qh-xxww-5r96: A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user o
ghsa_unreviewed·2022-05-24·CVSS 9.0
CVE-2020-1040 [CRITICAL] CWE-20 GHSA-98qh-xxww-5r96: A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user o
A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1032, CVE-2020-1036, CVE-2020-1041, CVE-2020-1042, CVE-2020-1043.
GHSA
GHSA-8f34-ccvf-c6jf: A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user o
ghsa_unreviewed·2022-05-24·CVSS 9.0
CVE-2020-1042 [CRITICAL] GHSA-8f34-ccvf-c6jf: A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user o
A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1032, CVE-2020-1036, CVE-2020-1040, CVE-2020-1041, CVE-2020-1043.
GHSA
GHSA-j92j-5hg7-f7hx: A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user o
ghsa_unreviewed·2022-05-24·CVSS 9.0
CVE-2020-1032 [CRITICAL] GHSA-j92j-5hg7-f7hx: A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user o
A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1036, CVE-2020-1040, CVE-2020-1041, CVE-2020-1042, CVE-2020-1043.
GHSA
GHSA-9gp9-35p2-qvpw: A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user o
ghsa_unreviewed·2022-05-24·CVSS 9.0
CVE-2020-1041 [CRITICAL] GHSA-9gp9-35p2-qvpw: A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user o
A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user on a guest operating system, aka 'Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2020-1032, CVE-2020-1036, CVE-2020-1040, CVE-2020-1042, CVE-2020-1043.
VulnCheck
Microsoft Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
vulncheck·2020·CVSS 9.0
CVE-2020-1040 [CRITICAL] CWE-20 Microsoft Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
Microsoft Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
Microsoft Hyper-V RemoteFX vGPU contains an improper input validation vulnerability due to the host server failing to properly validate input from an authenticated user on a guest operating system. Successful exploitation allows for remote code execution on the host operating system.
Affected: Microsoft Hyper-V RemoteFX
Required Action: Apply updates per vendor instructions.
Exploitation References: https://cisa.gov/news-events/cybersecurity-advisories/aa20-275a; https://us-cert.cisa.gov/ncas/alerts/aa20-275a; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-05-03
CISA
Microsoft Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 9.0
CVE-2020-1040 [CRITICAL] CWE-20 Microsoft Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
Vulnerability: Microsoft Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
Affected: Microsoft Hyper-V RemoteFX
Microsoft Hyper-V RemoteFX vGPU contains an improper input validation vulnerability due to the host server failing to properly validate input from an authenticated user on a guest operating system. Successful exploitation allows for remote code execution on the host operating system.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2020-1040
Remediation Due Date: 2022-05-03
Microsoft
Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
vendor_msrc·2020-07-14·CVSS 8.0
CVE-2020-1040 [CRITICAL] Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
Hyper-V RemoteFX vGPU Remote Code Execution Vulnerability
Description: A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system, attacking certain third-party video drivers running on the Hyper-V host. This could then cause the host operating system to execute arbitrary code.
An attacker who successfully exploited the vulnerability could execute arbitrary code on the host operating system.
There is no patch to fix this vulnerability, and the update listed will forcibly disable RemoteFX when applied. More information can be found in the FAQ below.
The software
No detection rules found.
No public exploits indexed.
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Talos
Vulnerability Spotlight: Multiple vulnerabilities in RemoteFX affects, AMD, Intel chips
blogs_talos·2020-07-14
Vulnerability Spotlight: Multiple vulnerabilities in RemoteFX affects, AMD, Intel chips
## Vulnerability Spotlight: Multiple vulnerabilities in RemoteFX affects, AMD, Intel chips
Piotr Bania of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered multiple vulnerabilities in Intel’s Graphics Accelerator Driver and in an AMD Radeon driver. The Intel driver was released in 2019 and is used in multiple Intel integrated and non-integrated GPUs. It is likely that an attacker could use these vulnerabilities to exploit users
remotely. The vulnerability could also be used to escape out of a Hyper-V virtual machine to access the host machine. Talos discovered the RemoteFX feature in Hyper-V affects both the Intel and AMD products and can be used to perform a Hyper-V guest-to-host escape. Microsoft disabled the RemoteFX feature as part of
Tenable
Microsoft’s July 2020 Patch Tuesday Addresses 123 CVEs Including Wormable Windows DNS Server RCE (CVE-2020-1350) (SIGRed)
blogs_tenable·2020-07-14·CVSS 10.0
[CRITICAL] Microsoft’s July 2020 Patch Tuesday Addresses 123 CVEs Including Wormable Windows DNS Server RCE (CVE-2020-1350) (SIGRed)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Talos
Vulnerability Spotlight: Multiple vulnerabilities in RemoteFX affects, AMD, Intel chips
blogs_talos·2020-07-14
Vulnerability Spotlight: Multiple vulnerabilities in RemoteFX affects, AMD, Intel chips
Piotr Bania of Cisco Talos discovered these vulnerabilities. Blog by Jon Munshaw.
Cisco Talos recently discovered multiple vulnerabilities in Intel’s Graphics Accelerator Driver and in an AMD Radeon driver. The Intel driver was released in 2019 and is used in multiple Intel integrated and non-integrated GPUs. It is likely that an attacker could use these vulnerabilities to exploit users
remotely. The vulnerability could also be used to escape out of a Hyper-V virtual machine to access the host machine. Talos discovered the RemoteFX feature in Hyper-V affects both the Intel and AMD products and can be used to perform a Hyper-V guest-to-host escape. Microsoft disabled the RemoteFX feature as part of this month’s Patch Tuesday.
In accordance with our disclosure policy, Talos contacted Inte
Qualys
July 2020 Patch Tuesday – 123 Vulnerabilities, 18 Critical, Hyper-V RemoteFX, DNS Server, Workstation, Adobe | Qualys
blogs_qualys·2020-07-14·CVSS 9.0
[CRITICAL] July 2020 Patch Tuesday – 123 Vulnerabilities, 18 Critical, Hyper-V RemoteFX, DNS Server, Workstation, Adobe | Qualys
#### Table of Contents
- Workstation Patches
- Windows DNS Server RCE
- Hyper-V RemoteFX vGPU RCE
- Deserialization RCEs in PerformancePoint Services, SharePoint, .NET, and Visual Studio
- Adobe
- About Patch Tuesday
This month’s Microsoft Patch Tuesday addresses 123 vulnerabilities with 18 of them labeled as Critical. The 18 Critical vulnerabilities cover Hyper-V, DNS Server, PerformancePoint, SharePoint Server, Office, Outlook, Remote Desktop, and several other workstation vulnerabilities. Adobe issued patches today for Download Manager, Media Encoder, Genuine Service, ColdFusion, and Creative Cloud.
## Workstation Patches
Today’s patch Tuesday fixes many vulnerabilities that would impact workstations. The Office, Outlook, Remote Desktop Client, DirectWrite, Address Book, LNK, GDI+,
Qualys
July 2020 Patch Tuesday – 123 Vulnerabilities, 18 Critical, Hyper-V RemoteFX, DNS Server, Workstation, Adobe
blogs_qualys·2020-07-14·CVSS 9.0
[CRITICAL] July 2020 Patch Tuesday – 123 Vulnerabilities, 18 Critical, Hyper-V RemoteFX, DNS Server, Workstation, Adobe
## Table of Contents
Workstation Patches
Windows DNS Server RCE
Hyper-V RemoteFX vGPU RCE
Deserialization RCEs in PerformancePoint Services, SharePoint, .NET, and Visual Studio
Adobe
About Patch Tuesday
This month’s Microsoft Patch Tuesday addresses 123 vulnerabilities with 18 of them labeled as Critical. The 18 Critical vulnerabilities cover Hyper-V, DNS Server, PerformancePoint, SharePoint Server, Office, Outlook, Remote Desktop, and several other workstation vulnerabilities. Adobe issued patches today for Download Manager, Media Encoder, Genuine Service, ColdFusion, and Creative Cloud.
## Workstation Patches
Today’s patch Tuesday fixes many vulnerabilities that would impact workstations. The Office, Outlook, Remote Desktop Client, DirectWrite, Address Book, LNK, GDI+, Font Libr
https://nvidia.custhelp.com/app/answers/detail/a_id/5044https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1040https://nvidia.custhelp.com/app/answers/detail/a_id/5044https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1040https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-1040
2020-07-14
Published
2021-11-03
Added to CISA KEV
Exploited in the wild