Microsoft rolled out new Windows 10 and Windows Server cumulative updates today, and in addition to any or all the fixes and security patches which are included, this era also brings an important change for RemoteFX vGPU users.
Starting with this patching cycle, RemoteFX vGPU is officially disabled in most Windows Server versions, and Microsoft states that it made this decision because of security reasons.
A burglar vulnerability in RemoteFX vGPU, which affects all Windows Server versions, could allow an attacker to operate arbitrary code around the impacted system. There’s no patch with this vulnerability, and Microsoft chose to disable the feature completely to get rid of all security risks.
“A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server does not properly validate input from an authenticated user on the guest operating system. To take advantage of the vulnerability, an assailant could run a specially crafted application on the guest operating-system, attacking certain third-party video drivers running on the Hyper-V host. This could then make the host operating-system to complete arbitrary code,” Microsoft explains in CVE-2020-1036.
However, Microsoft itself explains that at this time, it’s unaware of any exploits and attacks happening in the wild, and the company reveals that “exploitation is not as likely.” Because it further notes, a successful attack needs a crafted app to operate on an exposed system, so blocking such attempts will be a wise decision to make sure your computer data remains safe and secure.
RemoteFX vGPU is a feature that debuted in Windows 7 and allows multiple virtual machines to make use of the same physical GPU. However, because of security issues, Microsoft announced a gentle retirement of the feature, starting with its deprecation that happened in Windows 10 version 1809 and Windows Server 2019.
Today’s updates indeed disable the feature, but until February 2021 users can enable RemoteFX vGPU manually while using Hyper-V Manager or PowerShell cmdlets.
Last month 9, 2021, however, Microsoft will completely take away the feature from the os’s, and also at that point, enabling it back would not be possible. The organization recommends everyone to switch to a different vGPU system.
“The current implementation of RemoteFX vGPU appears prone to security vulnerabilities. Since these newly identified vulnerabilities are architectural anyway, and also the feature is already taken off newer versions of Windows, the July 14, 2020 security updates and all sorts of superseding Windows Updates will disable and remove the RemoteFX vGPU feature. Beginning with the July 14, 2020 security updates, this and all superseding Windows Updates will disable the RemoteFX vGPU feature,” the company says.
After installing today’s updates, if you’re attempting to launch a virtual machine configured with the RemoteFX adapter, you’ll get the following error messages:
“The virtual machine cannot be started because all of the RemoteFX-capable GPUs are disabled in Hyper-V Manager.” “The virtual machine can’t be started because the server has insufficient GPU resources.”
On the other hand, by trying to reenable the vGPU, you’ll will also get a security warning:
“We no longer support the RemoteFX 3D video adapter. If you’re still by using this adapter, you may become susceptible to security risk. Find out more (https://go.microsoft.com/fwlink/?linkid=213976)”
The bad news is the fact that computers where Windows 10 version 1607 or earlier are installed don’t have any other option than upgrading to some newer release, as other options to a disabled feature do not exist. Microsoft explains the next:
“Secure GPU virtualization can be obtained through Discrete Device Assignment (DDA) in Windows Server LTSC releases (Windows Server 2016 and Windows Server 2019) and Windows Server SAC releases (Windows Server, version 1803 and later versions). If you are on a Windows version sooner than Windows 10, version 1607, please consider upgrading.”