[Completion, Sun 18 Oct 2020 11:40:29 PM MDT] A final update audit confirms that all managed hosts with applicable security updates are either updated successfully, or scheduled to be soon. Several procedural improvements were made to streamline and speed up the handling of future Patch Tuesdays that seem to involve an unusually high number of zero-day exploits, as this one did.
[Update 2, Fri 16 Oct 2020 11:26:55 PM MDT] A subset of fully managed windows servers outside of our usual update management solution have been brought into it; some reboots will happen for those of these that did not receive the security updates on Tuesday night. We will perform a final audit tomorrow night before considering this window for out-of-band overnight maintenance reboots closed.
[Update 1]: About half of domain-managed VMs have been updated. We will continue to monitor hosts that have yet to update to ensure they come up quickly, and manually update where required.
All reboots will be finished before business hours.
Updates will also continue tommorow night. Managed servers not on the domain will be the primary focus, at that point.
Purpose of Work:
Patch Tuesday has come around again, and there's a few standout vulnerabilities among the crowd of those we'll be dealing with on fully managed servers that all subscribers running windows should be aware of.
First off, there's a remote code execution vulnerability affecting Windows Server 2019 hosts (and more recent versions of windows 10). This one leverages the TCP/IP stack within windows, via specially crafted ICMPv6 Router Advertisement packets. Because it leverages the TCP/IP stack, it would execute any injected code in the SYSTEM identity context, which means it's a wormable, EOP/RCE exploit you'll want to patch well before exploits are developed using it: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898
Second, there's a remote code execution vulnerability affecting Hyper-V on Windows Server 2008+ hosts. This one could allow an attacker on a VM to run a specially crafted application that then forces the hypervisor itself to execute arbitrary code in an elevated user context. Hyper-V host owners will want to patch this out ASAP: fully managed customers with hyper-V servers that have special scheduling requirements will contacted specifically about this one. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16891
Third, there's a privilege escalation vulnerability affecting Windows Server 2016+ (and windows 10) that leverages Windows Error Reporting. All privilege escalation vulnerabilities are a big risk on webservers, and other such hosts with a large, publicly accessible attack surface area. https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16909
Fourth up, there's another privilege escalation vulnerability affecting Windows Server 2008+. This one leverages the Windows Network Connections service, and of course should be addressed ASAP, like with most EOP vulnerabilities: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16887
Impact of Work:
Our exchange host will be rebooted a few times tonight to propagate security fixes. This may interfere with our ability to send and receive mail intermittently, while patches are being applied.
All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 9:00PM on 10/13/20, with some exceptions.
Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them.
Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters. Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density.
Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately.
Please contact us with any questions / comments / concerns.