Join Log in
Score:-4
prd avatar Server

Is there any way to access Hyper-V host from a network adapter not shared with host?

jp flag
prd

I am considering to move my firewall inside Hyper-V. There will be only one Guest OS that is connected to the virtual Switch, and the guest OS is the Firewall OS. While the second adapter at the firewall OS will be connected to internal network Virtual Switch.

But I am concerned with the security, especially because this interface is facing public network.

So, is there any way, a way to access the host operating system, if I don't share the network adapter to management operating system?

And by any way, I mean, whatever it takes remotely. Legally or illegally, official or not, by any trick, hacking the host. And how big is the chance of Hyper-V having this vulnerability?

69
1 + 2
Ben Voigt avatar
pl flag
Ben Voigt
Of course "VM escape" vulnerabilities are a thing, and they are not limited to breaking out of the emulated LAN. Anywhere there is communication between host and guest (disk I/O, video terminal, USB forwarding, RAM balloon allocation, etc etc) carries the potential for breaking out of vm jail if not properly secured.
0
Reply
prd avatar
jp flag
prd
@BenVoigt Agree.. So, there is a chance of people getting into the host bypassing the firewall VM. I've tried with ESXi before, and it was safe until it was dissolved. This Hyper-V will only run for a few months for a project, then will also dissolved. I was reluctant to buy a hardware firewall because it will be discarded. I know that ESXi has their own drivers, but Hyper-V will rely on thrid party drivers, and I can't say anything about Windows itself. I am not that familiar with Windows security.
0
Reply
Score:2
vidarlo avatar Server
ar flag
vidarlo

And by any way, I mean, whatever it takes remotely. Legally or illegally, official or not, by any trick, hacking the host.

That would be a security vulnerability. There may very well be one, for instance a vulnerability in the NIC driver for Windows.

But you won't learn about it here. If anyone has such a vulnerability stashed away three things can happen:

  1. They tell Microsoft or vendor about it, and it gets patched. After patching, it becomes known.
  2. It can be used in an attack in the wild.
  3. It can be silently hoarded and used in a high-profile attack against a specific target, in the hope that it won't get publicly known.

So as always: define what risks you're willing to take, and think about what you're willing to spend to avoid them. Physical hardware for firewall mitigates this risk, but may open other risks (Intel ME?) and reduces flexibility. Is it worth the added cost?

+ 3
prd avatar
jp flag
prd
How big is the chance of HyperV having this vulnerability? Yes... I am also considering a physical one, and yes. I am still weighing my options. Because I thought, for a small server, putting a pfSense inside would make it simpler. But I don't know how big the chance to hack into an unshared network card is.
0
Reply
vidarlo avatar
ar flag
vidarlo
I would guess the risk is somewhat large - but the chance of discovery rather low and the consequence rather low, unless you're a high profile target. But that's *guessing*.
0
Reply
prd avatar
jp flag
prd
Thank you. I've made my decision. It's a lab server, and will be dissolved within a few months. It won't be listed on any DNS, and only about 30 people know it's existence. Therefore I am rather reluctant to spend more money into dedicated firewall since they are not cheap, and will be discarded. But on the other hand, I obviously don't want unwanted people to break into my system.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.