CVE-2018-8115: Windows Host Compute Service Shim Remote Code Execution Vulnerability

Hack the Air Force 2.0

Microsoft informed users on May 2 that an update to the Windows host computing service Shim library patched a serious remote code execution vulnerability.

The Windows Host Compute Service (HCS), which was introduced in January 2017, is a low-level container management API for the Microsoft Hyper-V hypervisor. Microsoft has introduced two open source wrappers that allow users to call HCS directly from more advanced programming languages instead of calling the C API directly. One of the wrappers is the Windows host computing service shim (hereafter referred to as hcsshim), which supports starting the Windows server container from the Go language. Hcsshim is mainly used for the Docker engine project, but Microsoft said it is also free to use.

Michael Hanselmann, a Swiss developer, and security researcher discovered that when importing a container image, Hcsshim was unable to properly validate the input, allowing malicious actors to remotely execute arbitrary code on the host operating system.

To exploit the vulnerability, an attacker would place malicious code in a specially crafted container image which, if an authenticated administrator imported (pulled), could cause a container management service utilizing the Host Compute Service Shim library to execute malicious code on the Windows host. “Microsoft said in the consultation.

The vulnerabilities number CVE-2018-8115 have been listed as critical vulnerabilities, but Microsoft believes it is unlikely to be used for malicious purposes. The technical details of the issue are not yet published. This bug has been resolved in the release of HCS Shim 0.6.10, which is available from GitHub, a hosted platform for open source and proprietary software projects. The U.S. computer emergency response team also issued a warning, advising users to apply updates in a timely manner.