[Completion] Zero-Day Emergency Security Patching for Fully-Managed Windows 2008+ servers - July 14, 2020
Posted by David Cunningham on 14 July 2020 10:18 PM
End of Maintenance, 2:37am:|
All fully-managed hosts that do not have special scheduling requirements are either updated, or well on their way to being updated. We will reach out to clients with special scheduling requirements, and audit all hosts that were automatically updated tonight to confirm patching compliance. The bulk of the remaining automatic reboots should be finished within 30 minutes.
Updates have been deadlined, and servers meeting the previously outlined criteria will begin to reboot shortly. We will monitor all servers to ensure they come back up normally, and install the update properly.
Purpose of Work:
A remote code execution vulnerability (CVE-2020-1350) affects all versions of the DNS Server role in all versions of windows server so far. This vulnerability is wormable, and would run under the system context, giving any attackers full control of an affected DNS host.
Due to the ability of this vulnerability to quickly spread through and take control of any hosts running the DNS Server service on a network, we will be patching and rebooting all affected, fully-managed hosts overnight.
Standalone hypervisors would be a general exception to this, and customer-owned Windows HVs that host unmanaged VMs, but also run a DNS server should have their maintenance scheduled with us, separately.
Customers with their own update infrastructure will also be scheduled separately.
You can read more about the exploit (and patches mitigating it), here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
We will update you as maintenance begins.
Impact of Work:
All affected hosts will be rebooted automatically / ASAP to propagate fixes, starting at 10:30PM MDT on Tuesday the 14th.
Internal systems on windows 2008 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them.
Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters.
Any hosts not on our fully-managed domain (usually because they have their own domain) will not be impacted; the controlling organizations will be notified separately.
Please contact us with any questions / comments / concerns.