RSS Feed
News
Dec
8
Completion [Wed 09 Dec 2020 11:35:49 PM MST]  Our post update night audit reveals that the vast majority of servers successfully updated overnight.  A few one-off reboots may need to be conducted from here, but they will be done after-hours, and not on hypervisor hosts or tonight.


Update, [Tue 08 Dec 2020 10:31:19 PM MST]

Correction: "All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 9:30PM, with some exceptions."

10:30PM.  Reboots will begin shortly.


Purpose of Work:

December's Patch Tuesday has come around, and while it's a lighter patch volume than usual, there's still vulnerabilities that all subscribers running windows should be aware of.  


First of all, there are several RCE vulnerabilities for Microsoft exchange which seem to require authentication to be leveraged.  Here's one example: https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17132

Second, there appears to be a Hyper-V vulnerability that allows Hyper-V guests to force the Hypervisor to run arbitrary code by sending it an invalid SMB packet.  This affects Server 2016+, and I would consider it a higher priority patch, of those I see this cycle: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17095

Third, there is another Kerberos security feature bypass vulnerability to be patched.  We'll be applying and testing this on our internal domains that many managed servers are a part of: https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16996

Fourth, there's an RCE/EOP vulnerability that requires SMB read access to a host (which means it could affect any host that allows SMB, but not NTFS access to the 'everyone' identity).  Once an adversary has this level of access, they can then send specially crafted packets over the network or locally to get the affected host to run arbitrary code as the system identity.  This affects Server 2012 and up: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17096



Impact of Work:

Our exchange host will be rebooted at least once tonight to propagate security fixes.  This may interfere with our ability to send and receive mail intermittently, while patches are being applied.  A direct ticket update via the helpdesk portal will still work, as will a phone call.


All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 9:30PM, with some exceptions.

Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them.


Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters.  Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density.

Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately.


Please contact us with any questions / comments / concerns.

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).