Aug 9 |
Monthly Security Patching for Fully-Managed Windows 2012+ servers - August 9, 2022
Posted by David Cunningham on 09 August 2022 08:19 PM |
Purpose of Work: Read more » | |
Jul 12 |
Monthly Security Patching for Fully-Managed Windows 2012+ servers - July 12, 2022
Posted by David Cunningham on 12 July 2022 08:13 PM |
Purpose of Work: Patch Tuesday has rolled around, and The volume of fixes is a bit lower than July of last year, and there are no early reports of issues caused by this round of patches. Of the 87 fixes released in this batch, only two are reported as utilized in active attacks (and one of which is for Microsoft Edge). While there's also no patched vulnerabilities marked as publicly disclosed other than these two, it's worth noting that there's plenty of Windows bugs that have been publicly disclosed this month not included in the patching cycle, so we'll be keeping an eye out for out of band windows patches. To start off with the one actively targeted windows vulnerability: this one is an Elevation of Privilege vulnerability leveraging the CSRSS component, and affecting all supported versions of Windows and Windows server ... and likely a few unsupported ones ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22047 ). Microsoft is sparse on the details for this one, but complexity and privileges required are low, so if paired with any kind of remote code execution able to interact with CSRSS (likely including compromised websites), it can be easily used to elevate that code to running as system, as is evidenced by the active attack status. I recommend you patch this one quickly, if you're running any application that Next up, we have a Tampering vulnerability leveraging the 'Server' service (aka, SMB) that affects Windows server 20H2 and 2022 ( or, Windows 10 20H2 and up) https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30216 . Tampering vulnerabilities are pretty flexible in their potential impact ( they can be used to elevate, execute code, or disclose information). That said, this one does seem to require some level of authentication despite having a network vector, so I'd treat it like an Elevation vulnerabilty. Third on the list, there's a Remote Code Execution vulnerability leveraging the RPC service, affecting Windows Server 2012 and up (or, Windows 8 and up): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-22038 . This one is fairly alarming, with all code run using it being automatically elevated, a network vector, and no user interaction or authentication required. The only thing potentially stopping it from being a wormable threat, is that the complexity is marked 'high', with the following note provided by MS: "Successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data." Forth on the list, there's an Elevation of Privilege vulnerability leveraging IIS server, affecting all supported versions of Windows: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30209 . This one's a bit odd: it's listed as requiring no privileges, and it seems to imply that while you can bypass authentication to get privileged information from the server service, you can't disrupt the service, sounding a bit more like information disclosure than elevation of privilege. There's also the note that successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment. That's it for the highlights this month, though as usual, there are plenty of other vulnerabilities (including some more Elevation of Privilege affecting the Printer Spooler service, and more Windows Network File System Remote Code execution vulnerabilities, for the small percentage of users running that). Impact of Work: All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 9:30PM, with some exceptions. Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them. Mail delivery to our helpdesk may be temporarily halted while our mail servers are updated as part of this patch cycle. If you receive a delivery failure, you can still reach us by logging directly into the helpdesk and submitting a ticket directly via the portal, or calling us at 303-414-6910 x2, for emergencies. Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters. Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density. Hypervisors in DR scenarios will be updated one hour early, as they are not running active workloads. Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately. Please contact us with any questions / comments / concerns. Read more » | |
Jun 14 |
Monthly Security Patching for Fully-Managed Windows 2012+ servers - June 14, 2022
Posted by David Cunningham on 14 June 2022 08:49 PM |
Purpose of Work: It's that time again: Patch Tuesday. The volume of fixes released is similar to June of last year, and there are no early reports of issues caused by this round of patches. Today also marks the day before internet explorer is officially out of support on Windows 10. You can read more about that here: https://docs.microsoft.com/en-us/lifecycle/announcements/internet-explorer-11-end-of-support Of the 55 fixes released in this batch, only one vulnerability addressed is reported as utilized in active attacks, or even publicly disclosed. We'll start off with said vulnerability: an arbitrary code execution vulnerability leveraging the Microsoft Diagnostic Tool ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30190 ), affecting Server 2008 R2 and up (or, Windows 7 and up for the workstation equivalents). With this one being actively exploited, there's a bit of additional context to it. This vulnerability was given the designation "follina" by security researchers, and the most common vector for it is through Microsoft office products, such as Word. What's unique about this particular vulnerability is that the nature of the MSD Tool allows it to be executed via MSDT URL protocol, even by Office documents that have macro support disabled... so even opening a malicious Office document with such an attack embedded with full precautions won't guard against it like normal. You can read more about it here: https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/. Second highlighted fix this month is for a remote code execution vulnerability leveraging Hyper-V ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30163), affecting Server 2008 R2 and up, as well as Windows 7 and up. This one is nasty in that the RCE is initiated from a guest on an affected Hyper-V host, then jumps the gap up to the HV's OS. While the attack complexity is high (apparently needing events out of the control of the exploiter to happen in a certain order to work... ie, a race condition), this is still something we'll be patching on our managed hypervisors ASAP, and will encourage clients with strict maintenance window requirements to authorize patching with similar expedience. Third patched vulnerability of note is a remote code execution vulnerability leveraging Microsoft LDAP ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30139 ) and affecting Server 2016 / Windows 10 and up. This would likely affect Domain Controllers in particular. This one has high listed complexity, owing to the fact that it's only exploitable if the MaxReceiveBuffer LDAP policy is set to a value higher than the default value. Systems with the default value of this policy would not be vulnerable, meaning our own domain controllers are currently not affected. The mechanism of action is not made clear in the article, though it may rely on a buffer overflow of some sort. Fourth patch of note deals with an elevation of privilege vulnerability leveraging Windows' Kerberos implementation ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30165), and affecting Server 2016 / Windows 10 and up. This would be able to affect any domain-joined server, but appears to only affect systems configured to activate both of the following features in Windows Server: CredSSP (Credential Security Service Provider) and RCG (Remote Credential Guard). This being only EOP, an attack would still need low-privilege local access to carry this out, meaning webservers are a likely vector for it. The last of the highlights for this month is a fix targeting a remote code execution vulnerability leveraging and affecting SQL Server 2014 and up ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29143 ) . The listed complexity is 'high', with low privilege required to even launch it. Reading up on it, it seems to require specific pre-existing table structure to be possible, but if successfully launched, it would double as an elevation of privilege attack, depending on the level of privilege the SQL server service identity possesses. We will be ensuring that the security fix at least is detected by and pushed to all our managed SQL hosts. Impact of Work: All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 10:15PM, with some exceptions. Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them. Mail delivery to our helpdesk may be temporarily halted while our mail servers are updated as part of this patch cycle. If you receive a delivery failure, you can still reach us by logging directly into the helpdesk and submitting a ticket directly via the portal, or calling us at 303-414-6910 x2, for emergencies. Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters. Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density. Hypervisors in DR scenarios will be updated one hour early, as they are not running active workloads. Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately. Please contact us with any questions / comments / concerns. Read more » | |
May 10 |
Monthly Security Patching for Fully-Managed Windows 2012+ servers - May 10, 2022
Posted by David Cunningham on 10 May 2022 09:24 PM |
Purpose of Work: Read more » | |
Apr 25 |
Denver Network Maintenance: April 28, 2022 - dist1.dtc1 / dist2.dtc1 JunOS Upgrade
Posted by Jay Sudowski on 25 April 2022 07:05 PM |
Date: April 28, 2022 Time: 9:00PM MDT - 1:00 AM MDT Purpose of Work: Upgrade dist1.dtc1 and dist2.dtc1 to latest recommended versions of JunOS. Impact of Work: These two switches function as a redundant pair. Maintenance work will be performed on one switch at a time. During the maintenance window, there may be a few periods of increased packet loss and latency when switch reboots are performed and routes converge. Read more » | |