[Complete, Wed 11 Nov 2020 11:03:13 PM MST] Patch compliance for managed hosts without special scheduling requirements is at 100%. Further off-schedule update reboots should not be necessary.
[Update, Wed 11 Nov 2020 01:47:16 AM MST]: Our exchange server has finished applying the latest CU, and mail service is restored. There will be a few minor updates that will be applied to it over the course of the night, but further instances of downtime should be limited to 10m or less.
Regarding https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17051: most if not all managed clients should be unaffected by it, as this is for the "Server for NFS" linux compatibility feature of the Windows File Server role, which is pretty niche and not installed by default.
Service-impacting reboots on non-hypervisors will continue as the night progresses, and stop before 5am MST. Tomorrow night, we will address hosts that failed to install this round of updates and shoot for 100% patch compliance in our managed environment.
[Update, Tue 10 Nov 2020 10:40:51 PM MST]: Updating efforts are well on their way, with many hosts having already rebooted. I will now begin the work on our exchange server, which means mail to our helpdesk sent through email clients will be temporarily deferred. You can still update helpdesk tickets through a direct login, or call us on our support line.
Purpose of Work:
Patch Tuesday is here for November, and there's a few standout vulnerabilities among the crowd of those we'll be dealing with on fully managed servers that all subscribers running windows should be aware of.
First of all, there's an Escalation of Privilege vulnerability currently being exploited in the wild that leverages the Kernel Cryptography driver on Windows Server 2008+. This one was publicly disclosed by google in Late October, and will be a priority this patch cyle: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17087
Second, there's a remote code execution vulnerability Exchange server. We'll be applying this security update, so you might not be able to reach us over email for a short period during the maintenance: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17084
Third, there's an RCE vulnerability affecting NFS on Windows Server 2008+. There's not alot of public detail out there for this one, but it has a CVSS of 9.8, leverages NFS, has low attack complexity, and does not require privileges or user interaction in its description... so suffice to say, it's looking like a wormable threat: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17051
Fourth, there's a 'security feature bypass' Vulnerability in Hyper-V for Windows Server 2012R2+. While there's not alot of detail for what it is, the network attack vector, CVSS score of 6.5, low attack complexity, and lack of need for privileges or user interaction are noteworthy, and may imply the ability for VMs to modify the hypervisor directly, which is reason enough to include Hyper-V servers in this update cycle. https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17040
Fifth, there's a Kerberos Security Feature bypass vulnerability that would affect Active Directory. There's not alot of info out for this one yet, but it is the sort of patch that requires additional mitigation in the form of a registry edit to enforce new Kerberos Ticket security signature standards on domain controllers, so we'll be assessing this one in our internal AD domains and reaching out to managed clients who have their own with our findings.
While that's what I would consider the highlights, there are a few other fixes that would impact 2019+ servers, including a few EOP vulnerabilities. All vulnerabilities will be patched tonight, with rollbacks occurring selectively if required.
Impact of Work:
Our exchange host will be rebooted a few times tonight to propagate security fixes. This may interfere with our ability to send and receive mail intermittently, while patches are being applied.
All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 9:30PM, with some exceptions.
Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them.
Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters. Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density.
Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately.
Please contact us with any questions / comments / concerns.