RSS Feed
Latest Updates
Jan
10
Purpose of Work:

January's patch Tuesday has arrived, and they're starting off the year as busy as anyone.  There are 98 windows vulnerabilities being patched this month, compared to 96 in January 2021.

Of those 96 vulnerabilities, 1 is under active exploitation, and another is publicly disclosed.  Neither of these vulnerabilities are remote code execution vulnerabilities.

Preliminary reports from early adopters indicate no apparent widespread issues, and the test environment has shown no major trouble, post-update.  All known issues from previous patch cycles appear to be resolved, per https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-1607-and-windows-server-2016 and the other subpages accessible through the sidebar at that page.

This includes the ODBC connection problems and the LSASS memory leak lingering from the last two patch cycles.  Overall, this seems like it might end up going better than last year's January patch cycle, though we will be allowing for more testing time before we fully commit to this one, tonight.


To usher in the highlights, we'll begin, as always, with the vulnerability currently 'in the wild'.  This time it's an elevation of privilege vulnerability leveraging the Windows Advanced Local Procedure Call internal feature, and affecting Windows 8.1 / Windows Server 2012 R2 and up ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21674 ).  This one is fairy scary for end-users, as a malicious payload that a Chromium browser (such as Edge) receives can be used to escape the browser sandbox and elevate to the local SYSTEM identity.  When paired with a code execution payload, this could be used to deploy ransomware to a given server.  This bug was reported by Avast, so that seems likely at this point.

2nd on the list, we have the publicly disclosed vulnerability, an elevation of privilege vulnerability leveraging the Windows SMB Witness service and affecting Windows 8.1 / Windows Server 2012 and up ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21549 ).  Normally any vulnerability with SMB in the name is going to be cause for universal alarm within windows environments, but the SMB Witness service is one only in use by Windows Server environments that make use of failover clustering (such as clustered hyper-V, SQL and file servers).  Those servers are also usually going to be fairly locked down.  However, if you have any non-privileged users that are compromised in such a scenario, or have made the mistake of having a webserver on the same host, this could very easily become a problem.

3rd up, we have a pair of elevation of privilege vulnerabilities affecting and leveraging all supported versions of on-prem exchange ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21763 ).  This is actually a regression, or, perhaps more accurately, failed patching of https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41123 from the November patch cycle, so we'll be making a priority of this one.  Notably, it requires additional mitigation actions beyond installing the patch.

4th on the list, we have a remote code execution vulnerability leveraging the ODBC driver and affecting Windows 7 / Windows server 2008 and up ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21732 ).  Web hosting servers in particular are going to need this one patched, since some managed code could be able to interact with the ODBC driver without end-user trickery being required.  Notably, any code executed with this vulnerability is pre-elevated, running in the SYSTEM security context.

5th up, there's a few security feature bypass vulnerabilities affecting Bitlocker on Windows 7 / Windows Server 2008 and up ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21563 / https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41099 ).  This is only a concern to those who are running bitlocker to encrypt their windows volumes.  Those paying attention to the CVE names will note that one of these is from November 2022: I'm mentioning that one because today, Microsoft updated the vulnerability with the unique additional required step to apply protections of patching the recovery partition, if one exists. 


There are a few other vulnerabilities worth mentioning offhand without further detail: a SharePoint Server security feature bypass that apparently allows attackers to bypass authentication and get access ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21743 ), another Microsoft Office arbitrary code execution vulnerability ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21734 ), several L2TP RCE vulnerabilities ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21734 , one of many), and a trio of print spooler EOP vulnerabilities ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21678 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21765 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21760 ).

As usual, we're only scratching the surface with the highlights.  The rest of the updates this month are all reviewable at https://msrc.microsoft.com/update-guide with the proper filtering.


Impact of Work:


All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 10:20PM, with some exceptions.

Overflow work may continue the following night at 9pm and onwards.

Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them.  Mail delivery to our helpdesk may be temporarily halted while our mail servers are updated as part of this patch cycle.  If you receive a delivery failure, you can still reach us by logging directly into the helpdesk and submitting a ticket directly via the portal, or calling us at 303-414-6910 x2, for emergencies.  


Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters.  Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density.

Hypervisors in DR scenarios may be updated up to one hour early, as they are not running active workloads.

Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately.
Read more »



Dec
13

Purpose of Work:

December's patch Tuesday has arrived, and it looks like Microsoft is taking it a bit easy for the holidays as a present to us all.  There are 52 windows vulnerabilities being patched this month, compared to 67 in December 2021. 

Of those 52 vulnerabilities, 1 is under active exploitation, and another is publicly disclosed.  Neither of these vulnerabilities are remote code execution vulnerabilities.

Preliminary reports from early adopters indicate no apparent widespread issues, and the test environment has shown no major trouble, post-update.  Most of the issues I see reports of are lingering issues from last month's patches ( visible for various versions of the OS via the sidebar here: https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-1607-and-windows-server-2016 ), with the worst of them having been hotfixed (the Kerberos authentication problems from last month's hardening).

Unfortunately, while I don't see new known issues this month (so far...), that does leave 2 known issues unaddressed with this round of updates, so far: the ODBC connection problems and the LSASS memory leak.  We at least haven't see any reported problems stemming from them, but it's good to be aware of the problems.


To kick off the highlights, we'll start with the vulnerability that's currently in the wild, a security feature bypass vulnerability leveraging the "mark of the web" (MOTW) security feature, and affecting Windows 10 and Server 2016 and up, respectively ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44698 ).  This, like previous similar vulnerabilities, allows an attacker to craft a malicious file in such a way that it evades the MOTW tagging all downloaded files, or files attached to email get that flag microsoft smartscreen to prompt the user to avoid executing it.  Obviously, this can be used to great effect with phishing and malicious websites, so we recommend you patch your workstations, VDIs and RDS environments ASAP.

2nd on the list, we have a publicly disclosed elevation of privilege vulnerability leveraging DirectX 11, and seemingly affecting only Windows 11 builds ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44710 ).  This attack is listed as high complexity, requiring that the attacker win at least one race condition.  Interestingly, it's capable of breaching appcontainer isolation, in addition to granting system privileges: ( https://learn.microsoft.com/en-us/windows/win32/secauthz/appcontainer-isolation).

3rd up, we have a remote code execution vulnerability leveraging windows powershell, and affecting all supported versions of windows: ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41076 ).  This exploit is not public at time of writing, but while it does have a network attack vector, it has low privileges required in addition to high complexity... so it does not seem wormable, even if the scope is broad.  Still something we'll be taking care of ASAP for managed workloads.

4th, we've got an Arbitrary Code Execution vulnerability leveraging and affecting all versions of .net on all supported versions of windows (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41076 ).  There does seem to be some mixing and matching involving which specific versions of .net are affected on specific versions of windows.  Because of the nature of .net (which often underpins web apps), Microsoft is treating this as a remote code execution vulnerability.  It is unclear if this exploit would give the attacker elevation privileges as well, but unlikely.  This does appear to require 'user interaction', and no authentication, but such interaction could easily be provided by a website.  As such, webservers in particular should be patched to avoid this one.



There are a few other vulnerabilities worth mentioning offhand without further detail: a Hyper-V DOS ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44682 ) and EOP vulnerability ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41094 ), a Microsoft Outlook MAC spoofing bug ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44713 ), and two printer spooler service EOP vulnerabilities ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41094 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-44682 ).  


As usual, we're only scratching the surface with the highlights.  The rest of the updates this month are all reviewable at https://msrc.microsoft.com/update-guide with the proper filtering.


Impact of Work:


All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 11:30PM, with some exceptions.

Overflow work may continue the following night at 9pm and onwards.

Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them.  Mail delivery to our helpdesk may be temporarily halted while our mail servers are updated as part of this patch cycle.  If you receive a delivery failure, you can still reach us by logging directly into the helpdesk and submitting a ticket directly via the portal, or calling us at 303-414-6910 x2, for emergencies.  


Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters.  Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density.

Hypervisors in DR scenarios may be updated up to one hour early, as they are not running active workloads.

Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately.


Read more »



Nov
8
Monthly Security Patching for Fully-Managed Windows 2012+ servers - November 8, 2022
Posted by David Cunningham on 08 November 2022 11:10 PM
Purpose of Work:

November's patch Tuesday has arrived.  There are 69 windows vulnerabilities being patched this month, compared to 55 in November 2021. 

Of those 69 vulnerabilities, 6 are under active exploitation, with one of those publicly disclosed.   Only two of the six vulnerabilities found 'in the wild' are Remote Code Execution vulnerabilities: the first requires user interaction, the other requires unprivileged authentication, so nothing wormable appears to be out there and spreading.

Preliminary reports from early adopters indicate no apparent widespread issues (though there are some edge case problems I've seen reported with WinRM functionality), and the test environment has shown no major trouble, post-update, so I guess that's something to be thankful for.



To kick off the highlights, we'll start with a pair of Remote Code Execution vulnerabilities affecting all supported versions of windows, and using the Windows Scripting Language engines as their vector ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41128 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41118 ).  Both affect Jscript9, with CVE-2022-41128 also affecting the Chakra language.  CVE-2022-41128 is on the shortlist of actively exploited vulnerabilities this month, has a no authenticatoin / network vector, but requires user interaction to exploit: specifically, a user must be tricked into clicking on a link to a malicious server carrying the exploit as a payload.  CVE-2022-41118 is not in the wild yet, but works in a similar fashion, requiring user interaction.  Until this one is patched in your environment, users should be wary of email links on windows VDIs or workstations.

There are also a pair of exchange server vulnerabilities this month, affecting all supported versions ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040 , https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082 ). One is RCE, the other is EOP, and both require authentication.  We'll be updating our own exchange server (which may affect mail flow tonight, so if you get a bounce, contact us via phone or helpdesk), and recommend you do the same if you maintain one.  This patch appears to require additional hardening actions after installation.

There are three more vulnerabilities detected 'in the wild' this month: an EOP vuln leveraging the Print Spooler and affecting all supported versions of windows ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41073 ), an EOP vuln leveraging the CNG Key Isolation service and affecting Windows 8/Server 2012 and up ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41125 ), and lastly, a security feature bypass vulnerability affecting Windows 10/2016 and up ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41091 ).  There's not much to talk about with the Elevation of Privilege vulnerabilities: they require no additional action, and of course can only be used to amplify non-privileged compromises.  The security bypass feature is interesting for those who work with end-user systems like VDI or workstations: it allows for bypassing of the "Mark of the Web" security flag applied to downloaded files that causes browser and Microsoft office programs to treat said files with more suspicion and prompt for end-user review before executing those files.

Fourth on the list, there's a pair of EOP vulnerabilities leveraging different aspects of Kerberos and affecting all supported versions of Windows Server ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37967 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37966 ).  These vulnerabilities will require post-patching action to properly mitigate, and like most Kerberos patches, the fixes will be eventually made mandatory via a phased rollout.  Said updates have major implications for AD domains and domain controllers, so I recommend anyone in charge of an AD domain reviews both articles and their linked articles carefully, as we will be doing.  Both updates are still in their staging phase at this time, having just been released.

There are a few other vulnerabilities worth mentioning offhand without further detail: a Hyper-V denial of service vulnerability ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38015 ) and three RCE vulnerabilities affecting the windows point-to-point tunneling protocol service ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41044 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41088 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41039 ).


As usual, we're only scratching the surface with the highlights.  The rest of the updates this month are all reviewable at https://msrc.microsoft.com/update-guide with the proper filtering.


Impact of Work:


All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 11PM, with some exceptions.

Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them.  Mail delivery to our helpdesk may be temporarily halted while our mail servers are updated as part of this patch cycle.  If you receive a delivery failure, you can still reach us by logging directly into the helpdesk and submitting a ticket directly via the portal, or calling us at 303-414-6910 x2, for emergencies.  


Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters.  Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density.

Hypervisors in DR scenarios may be updated up to one hour early, as they are not running active workloads.

Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately.

Read more »



Oct
11
Purpose of Work:

October's Patch Tuesday is here, and it's not especially spooky.  There are 85 windows vulnerabilities being patched this month, compared to 82 in September 2021.

Preliminary reports from early adopters indicate no apparent widespread issues, and as usual the test environment will be updated first and monitored for any showstoppers.

Of those 85 vulnerabilities, one is under attack and another is publicly known, but neither are RCE vulnerabilities.


First for the highlights, we'll start with the vulnerability under active exploitation: a local Elevation of Privilege vulnerability leveraging the COM+ Event System service, and affecting all supported versions of Windows and Windows Server ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41033 ).  Based on the information Microsoft has provided so far, there's not a lot to say about this, other than the usual: this being an Elevation of Privilege escalation, it will make any successful remote code execution more dangerous when paired with it; webservers and application servers in particular that are open to the internet could be impacted by this.

Second up, the public vulnerability is an Information Disclosure vulnerability affecting and leveraging recent versions of Office on Mac ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41043 ).  It seems users affected by this can get their authentication tokens and such sniffed by the attackers, so if you're on a Mac, make sure you're running those updates.  Vulnerabilities that are publicly disclosed often have a short fuse before we see them exploited by actual attackers.

Third, we have an Arbitrary Code Execution vulnerability affecting and leveraging all supported versions of Microsoft Office ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38048 ).  It's unclear exactly what the vector is, but user interaction is required.  Microsoft has labeled this as a "remote code execution" vulnerability to emphasize that attackers are likely to exploit this by sending payloads directly to end-users, per usual.  

Fourth on the list (and taking us back to Windows server products), we have an Elevation of Privilege vulnerability leveraging the DCOM Server and Active Directory Certificate Services, affecting all supported versions of Windows Server ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37976 ).  The actual EOP vector seems to be through forcing the DCOM Server to authenticate with a malicious client via ADCS, then capturing the resulting credential payload for malicious use.  There don't appear to be any special adjustments required to get the patch to work, though there is some pre-patching mitigation guidance.

Fifth on the list, there's an Elevation of Privilege vulnerability leveraging Hyper-V and affecting Windows Server 2016 / Windows 10 and up ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37979 ).  Curiously, Microsoft mentions in the vulnerability FAQ that "An attacker on a Nested Hyper-V environment would gain Level 1 Hyper-V Windows Root OS privileges", leaving the question open on what they'd achieve on a standard Hyper-V deployment.  We'll be making no assumptions, and will patch as if it affects standard Hyper-V deployments the same way it normally would: allowing VMs to break the sandbox and run code on the HV.

Sixth up, we have a Denial of Service vulnerability leveraging the TCP/IP driver in all supported versions of Windows and Windows Server ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33645 ).  As is typical with these TCP/IP stack vulnerabilities as of late, it only affects hosts that have IPv6 enabled at the protocol/interface level, which is a default.

And, finally, there is a whole host of Remote Code Execution vulnerabilities leveraging the Windows Point to Point Tunneling Protocol Server feature, on all supported versions of Windows and Windows server (between each of them, at least: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22035 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24504 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-33634 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38047 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38000 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41081 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30198 ).  This one is more of an edge case, but if you have a host you're allowing users to dial into via PPTP, I'd shut that down until these patches can be deployed.


There is also an exchange security update this month, so our mail may be impacted more than usual.

I'll add that none of the vulnerabilities this month (including yet more Print Spooler and Kerberos Elevation of Privilege vulnerabilities) seem to require additional action, beyond installing a given patch.

That's all for the highlights, but as usual, there's plenty more where that came from, all reviewable at https://msrc.microsoft.com/update-guide with the proper filtering.


Impact of Work:


All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 10:20PM, with some exceptions.

Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them.  Mail delivery to our helpdesk may be temporarily halted while our mail servers are updated as part of this patch cycle.  If you receive a delivery failure, you can still reach us by logging directly into the helpdesk and submitting a ticket directly via the portal, or calling us at 303-414-6910 x2, for emergencies.  


Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters.  Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density.

Hypervisors in DR scenarios may be updated up to one hour early, as they are not running active workloads.

Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately.


Please contact us with any questions / comments / concerns.
Read more »



Sep
22
[Rescheduled] Firmware updates for all-flash SAN storage - September 27, 2022
Posted by David Cunningham on 22 September 2022 07:03 PM
Purpose of Work:

Tonight, at 9 PM MDT, we will be performing a routine firmware upgrade on one of our all-flash SAN units, to get it on the latest firmware and security update level.

This will a continuation of the maintenance done on the 22nd, which had to be rescheduled.



Impact of Work:

No impact is expected.  The unit will be automatically updating a single controller at a time, meaning it should be failing over gracefully to the other controller at any given phase of the updates.

We have performed this upgrade on two non-production SAN units earlier today, and no impact occurred.


If any impact occurs, you may see degraded performance or an outage on certain standalone hypervisors, or lower-volume clusters.

We will be monitoring the process closely for any issues to mitigate and will update this news post, if we notice anything of the sort.


Please contact us with any questions / comments / concerns.
Read more »