Jun 14 |
Monthly Security Patching for Fully-Managed Windows 2012+ servers - June 14, 2022
Posted by David Cunningham on 14 June 2022 08:49 PM |
Purpose of Work: It's that time again: Patch Tuesday. The volume of fixes released is similar to June of last year, and there are no early reports of issues caused by this round of patches. Today also marks the day before internet explorer is officially out of support on Windows 10. You can read more about that here: https://docs.microsoft.com/en-us/lifecycle/announcements/internet-explorer-11-end-of-support Of the 55 fixes released in this batch, only one vulnerability addressed is reported as utilized in active attacks, or even publicly disclosed. We'll start off with said vulnerability: an arbitrary code execution vulnerability leveraging the Microsoft Diagnostic Tool ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190 ), affecting Server 2008 R2 and up (or, Windows 7 and up for the workstation equivalents). With this one being actively exploited, there's a bit of additional context to it. This vulnerability was given the designation "follina" by security researchers, and the most common vector for it is through Microsoft office products, such as Word. What's unique about this particular vulnerability is that the nature of the MSD Tool allows it to be executed via MSDT URL protocol, even by Office documents that have macro support disabled... so even opening a malicious Office document with such an attack embedded with full precautions won't guard against it like normal. You can read more about it here: https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/. Second highlighted fix this month is for a remote code execution vulnerability leveraging Hyper-V ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30163), affecting Server 2008 R2 and up, as well as Windows 7 and up. This one is nasty in that the RCE is initiated from a guest on an affected Hyper-V host, then jumps the gap up to the HV's OS. While the attack complexity is high (apparently needing events out of the control of the exploiter to happen in a certain order to work... ie, a race condition), this is still something we'll be patching on our managed hypervisors ASAP, and will encourage clients with strict maintenance window requirements to authorize patching with similar expedience. Third patched vulnerability of note is a remote code execution vulnerability leveraging Microsoft LDAP ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30139 ) and affecting Server 2016 / Windows 10 and up. This would likely affect Domain Controllers in particular. This one has high listed complexity, owing to the fact that it's only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable, meaning our own domain controllers are currently not affected. The mechanism of action is not made clear in the article, though it may rely on a buffer overflow of some sort. Fourth patch of note deals with an elevation of privilege vulnerability leveraging Windows' Kerberos implementation ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30165), and affecting Server 2016 / Windows 10 and up. This would be able to affect any domain-joined server, but appears to only affect systems configured to activate both of the following features in Windows Server: CredSSP (Credential Security Service Provider) and RCG (Remote Credential Guard). This being only EOP, an attack would still need low-privilege local access to carry this out, meaning webservers are a likely vector for it. The last of the highlights for this month is a fix targeting a remote code execution vulnerability leveraging and affecting SQL Server 2014 and up ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29143 ) . The listed complexity is 'high', with low privilege required to even launch it. Reading up on it, it seems to require specific pre-existing table structure to be possible, but if successfully launched, it would double as an elevation of privilege attack, depending on the level of privilege the SQL server service identity possesses. We will be ensuring that the security fix at least is detected by and pushed to all our managed SQL hosts. Impact of Work: All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 10:15PM, with some exceptions. Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them. Mail delivery to our helpdesk may be temporarily halted while our mail servers are updated as part of this patch cycle. If you receive a delivery failure, you can still reach us by logging directly into the helpdesk and submitting a ticket directly via the portal, or calling us at 303-414-6910 x2, for emergencies. Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters. Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density. Hypervisors in DR scenarios will be updated one hour early, as they are not running active workloads. Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately. Please contact us with any questions / comments / concerns. Read more » | |
May 10 |
Monthly Security Patching for Fully-Managed Windows 2012+ servers - May 10, 2022
Posted by David Cunningham on 10 May 2022 09:24 PM |
Purpose of Work: Read more » | |
Apr 25 |
Denver Network Maintenance: April 28, 2022 - dist1.dtc1 / dist2.dtc1 JunOS Upgrade
Posted by Jay Sudowski on 25 April 2022 07:05 PM |
Date: April 28, 2022 Time: 9:00PM MDT - 1:00 AM MDT Purpose of Work: Upgrade dist1.dtc1 and dist2.dtc1 to latest recommended versions of JunOS. Impact of Work: These two switches function as a redundant pair. Maintenance work will be performed on one switch at a time. During the maintenance window, there may be a few periods of increased packet loss and latency when switch reboots are performed and routes converge. Read more » | |
Apr 21 |
Complete: Denver Emergency Network Maintenance: dist3.dtc1 April 21 9:00 PM MDT
Posted by Jay Sudowski on 21 April 2022 12:02 PM |
Update: 12:36AM MDT - Final checks are all clear. We are closing this maintenance window as complete and successful, with no customer impact. Update: 12:30AM MDT - Our work is complete and we are making final checks. Update: The problematic switch is almost completely isolated. Reminder: This activity will begin in about 15 minutes. Date: April 21, 2022 Time: 9:00 PM MDT - 1:00 AM MDT Purpose: Troubleshoot and resolve issues with dist3.dtc1 fpc1, which is throwing parity errors. The cause of parity errors, according to Juniper, maybe the following reasons: 1. Emission of alpha particles from tiny amounts of radioactive materials present in the chips 2. Cosmic rays creating energetic neutrons and protons 3. A bug in the current version of JunOS running on the switch. Description of Work: During this maintenance window, we will physically isolate the impacted node and reboot it. While this is a redundant node, and we don't expect any major network disruptions, this is an unusual problem we haven't faced before. While the node is isolated, there may be brief periods of connectivity disruptions while traffic is rerouted, which may impact iSCSI traffic for certain customers. Once the node is physically isolated, we will reboot it. If the errors resolve themselves, we will re-establish connectivity to the device. If the errors continue, we will physically replace the device with a spare. Read more » | |
Apr 12 |
Monthly Security Patching for Fully-Managed Windows 2012+ servers - April 12, 2022
Posted by David Cunningham on 12 April 2022 08:10 PM |
Purpose of Work: First off, we have a system-level remote code execution vulnerability that leverages the Remote Procedure Call Runtime, and affects seemingly all supported versions of windows ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809 ). This one is particularly concerning, because it doesn't require authentication, and any code executed would automatically execute in a system context, making it a wormable vulnerability that could very quickly compromise an unpatched network of windows hosts if it were exploited. This one is not yet in the wild, so we'll be following our usual patching schedule to deal with it. If you are unable to patch this on on a self-managed environment, our recommendation is you block port 445 from untrusted hosts. Read more » | |