Full Report
Hypervisor-Protected Code Integrity (HVCI) is a method of preventing compromise of various kernel parts even when an attacker has compromised part of the kernel itself. While creating a Windbg extension for HyperV on Intel processors, the author noticed something very strange. Even with HVCI enabled some of the pages were marked RWX, which shouldn't be possible. On the 7 intel devices they had, 3 of them had this issue. Exploitation of the issue was trivial, since the pages were already marked RWX. So, what happened? Intel Virtualization Extension (Intel VT-x) is a virtualization standard that's been upgraded multiple times. For IOMMU device memory protection, the memory can be exposed to the hypervisor in a few different ways, such VMEXIT, VmBus with HyperV and accelerated hardware mapped directly to the VM. To isolate memory between VMs, an IOMMU should have I/O device assignment, DMA remapping and handle interrupts in the appropriate VM. When a remapping occurs, it must be announced in the BIOS by an APCI table called DMA Remapping Reporting (DMAR). If a device needs to perform DMA transfer on specific memory regions, like a network controller, it'll need access both before and after setting up the IOMMU. For these types of devices, there is another special table called the Reserved Memory Region Reporting (RMRR). For RMRR structure, there are two important concepts. First, the BIOS should report memory described in the RMRR as Reserved in the UEFI memory map. Second, when the OS enables remapping, the address translation for these they need to be marked as RW. So, what's the bug in all of this? The first point above (RMRR marked as Reserved in the MM) was simply not happening. When the secure kernel starts, it will go through each one of the marked pages to mark it as either RW or RX but not both. Since this page is never added, we have a problem. As a result, it leaves the execution protection for the memory region on, leading to a violation of HVCI. To fix the issue, the commercial devices added RMRR to the memory map. Additionally, Windows removed the X permission on all RMRR memory regions in order to prevent this type of issue from happening in the future. Overall, an interesting root cause of a bug discovered by accident.
Analysis Summary
# Vulnerability: HVCI Bypass via Improper RMRR Memory Mapping in UEFI
## CVE Details
- **CVE ID:** CVE-2024-21305
- **CVSS Score:** Not explicitly listed in text (MSRC classifies as Important/High severity)
- **CWE:** CWE-267: Privilege Defined by Unsafe Resources (or CWE-284: Improper Access Control)
## Affected Systems
- **Products:** Windows 10, Windows 11, and Windows Server systems utilizing Hypervisor-Protected Code Integrity (HVCI).
- **Versions:** Systems running Windows before the January 9, 2024, security update.
- **Configurations:** Intel-based systems where the UEFI firmware fails to report Reserved Memory Region Reporting (RMRR) structures correctly within the UEFI memory map. Affected hardware observed includes 6th through 10th generation Intel processors.
## Vulnerability Description
The vulnerability stems from a discrepancy between Intel VT-d specifications and specific UEFI firmware implementations regarding how memory for DMA-capable devices is handled.
HVCI relies on the hypervisor to ensure no memory pages are simultaneously Writable and Executable (RWX). When Hyper-V initializes, it parses the **UEFI memory map** to apply protections (stripping 'Execute' permissions from VTL 0). However, if the BIOS reports memory regions via the **DMAR (DMA Remapping Reporting) ACPI table** in an **RMRR structure** but fails to also mark those same regions as "Reserved" in the **UEFI memory map**, the hypervisor skips these pages during its protection pass. This results in Guest Physical Addresses (GPAs) remaining in an RWX state, violating the security guarantees of HVCI.
## Exploitation
- **Status:** PoC available (developed by researcher).
- **Complexity:** Low (once RWX pages are identified).
- **Attack Vector:** Local (requires the ability to load a driver or have kernel-mode access to map linear addresses to the vulnerable GPAs).
## Impact
- **Confidentiality:** High (Full kernel compromise possible).
- **Integrity:** High (Allows execution of unsigned/arbitrary code in the kernel).
- **Availability:** High (Potential for system instability or intentional crashes).
## Remediation
### Patches
- **Windows Update:** Apply the January 9, 2024, security update.
- **Firmware Updates:** Microsoft released firmware updates for its own commercial devices to include RMRR regions in the UEFI memory map.
### Workarounds
- No specific software workarounds are noted; the primary fix involves the OS/Hypervisor update which enforces "No-Execute" (NX) permissions on all RMRR regions by default, regardless of firmware reporting.
## Detection
- **Indicators of Compromise:** Presence of kernel-mode shellcode execution in environments where HVCI is strictly enforced.
- **Detection Methods:**
- Using the **UEFI Shell:** Run the `memmap` command. If the memory ranges defined in the RMRR (found in the DMAR ACPI table) do not appear as "Reserved" in the memory map, the system is likely vulnerable.
- **Debugging Tools:** Using specialized extensions like `hvext.js` in WinDbg to dump Extended Page Tables (EPT) and scan for Guest Physical Addresses (GPAs) with RWX permissions.
## References
- **MSRC Advisory:** [https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21305](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21305)
- **Technical Analysis:** [https://tandasat.github.io/blog/2024/01/15/CVE-2024-21305.html](https://tandasat.github.io/blog/2024/01/15/CVE-2024-21305.html)
- **PoC Repository:** [https://github.com/tandasat/CVE-2024-21305](https://github.com/tandasat/CVE-2024-21305)