Microsoft has disabled RemoteFX vGPU for all Windows servers in the July 2020 Cumulative update because of an unpatched CVE-2020-1036 vulnerability
Microsoft yesterday released the July 2020 cumulative update for Windows 10 run PC/laptops. It also released a simultaneous KB KB4569509 patch for the Windows Server versions to patch it against the SIGRed Windows DNS flaw that could have enabled a potential hacker to take over the complete Windows Server run systems.
The Windows Server patches rolled out by Microsoft also make a very important change in RemoteFX vGPU. The new patch disables RemoteFX vGPU and Microsoft want’s all sysadmins using Windows Servers to patch their systems to disable the RemoteFX vGPU.
What is RemoteFX vGPU?
RemoteFX vGPU feature exists in the Windows Server version which was introduced with Windows 7. The vGPU feature for RemoteFX makes it possible for multiple virtual machines to share a physical GPU. Rendering and compute resources are shared dynamically among virtual machines, making RemoteFX vGPU appropriate for high-burst workloads where dedicated GPU resources are not required. For example, in a VDI service, RemoteFX vGPU can be used to offload app rendering costs to the GPU, with the effect of decreasing CPU load and improving service scalability.
After installing the July 2020 cumulative patches for Windows Server versions, the RemoteFX vGPU is officially disabled. The reason behind doing this was an unpatched security vulnerability that affected all Windows Server versions. Here is a list of the Microsoft’s Windows 10 July 2020 cumulative patches:
July 14 cumulative updates
- Windows 10 version 1507 — KB4565513 (OS Build 10240.18638)
- Windows 10 version 1607 — KB4565511 (OS Build 14393.3808)
- Windows 10 version 1703 — KB4565499 (OS Build 15063.2439)
- Windows 10 version 1709 — KB4565508 (OS Build 16299.1992)
- Windows 10 version 1803 — KB4565489 (OS Build 17134.1610)
- Windows 10 version 1809 — KB4558998 (OS Build 17763.1339)
- Windows 10 version 1903/1909 — KB4565483 (OS Builds 18362.959 and 18363.959)
- Windows 10 version 2004 — KB4565503 (OS Build 19041.388)
The security vulnerability in Hyper-V RemoteFX vGPU has been issued an identifier CVE-2020-1036 and is highly critical. The flaw could allow potential hackers to run arbitrary code by running a specially crafted app to run on an exposed system, Microsoft says that since it could not patch this vulnerability it decided to completely disable the RemoteFX vGPU.
A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly validate input from an authenticated user on a guest operating system. To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system, attacking certain third-party video drivers running on the Hyper-V host. This could then cause the host operating system to execute arbitrary code.
Microsoft security bulletin for CVE-2020-1036.
Microsoft has asked every Windows Server user to apply the July 2020 patch which will disable the feature and thus remove the vulnerability. It added that it was not aware of the CVE-2020-1036 being exploited in the wild.
After installing the patch, if the Sysadmin wants they can enable RemoteFX vGPU manually using the Hyper-V Manager or PowerShell cmdlets. However, Microsoft will completely disable the feature starting 9th February 2021.
“The current implementation of RemoteFX vGPU appears susceptible to security vulnerabilities. Because these newly identified vulnerabilities are architectural in nature, and the feature is already removed from newer versions of Windows, the July 14, 2020 security updates and all superseding Windows Updates will disable and remove the RemoteFX vGPU feature. Starting with the July 14, 2020 security updates, this and all superseding Windows Updates will disable the RemoteFX vGPU feature,” the company says.
After installing the July 2020 cumulative patch, if the sysadmin tries to launch a virtual machine configured with the RemoteFX adapter, they would get this error message.
The virtual machine cannot be started because all the RemoteFX-capable GPUs are disabled in Hyper-V Manager.” “The virtual machine cannot be started because the server has insufficient GPU resources.
After applying the patch, if the sysadmin enables the vGPU through Hyper-V Manager or PowerShell cmdlets, the Windows Server will warn them.
We no longer support the RemoteFX 3D video adapter. If you are still using this adapter, you may become vulnerable to security risk. Learn more (https://go.microsoft.com/fwlink/?linkid=213976)