[Complete] Emergency Security Patching for Fully-Managed Windows 2012+ servers - December 10, 2020
Posted by David Cunningham on 08 December 2020 10:30 PM
Completion [Wed 09 Dec 2020 11:35:49 PM MST] Our post update night audit reveals that the vast majority of servers successfully updated overnight. A few one-off reboots may need to be conducted from here, but they will be done after-hours, and not on hypervisor hosts or tonight.|
Update, [Tue 08 Dec 2020 10:31:19 PM MST]
Correction: "All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 9:30PM, with some exceptions."
10:30PM. Reboots will begin shortly.
Purpose of Work:
December's Patch Tuesday has come around, and while it's a lighter patch volume than usual, there's still vulnerabilities that all subscribers running windows should be aware of.
First of all, there are several RCE vulnerabilities for Microsoft exchange which seem to require authentication to be leveraged. Here's one example: https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17132
Second, there appears to be a Hyper-V vulnerability that allows Hyper-V guests to force the Hypervisor to run arbitrary code by sending it an invalid SMB packet. This affects Server 2016+, and I would consider it a higher priority patch, of those I see this cycle: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17095
Third, there is another Kerberos security feature bypass vulnerability to be patched. We'll be applying and testing this on our internal domains that many managed servers are a part of: https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16996
Fourth, there's an RCE/EOP vulnerability that requires SMB read access to a host (which means it could affect any host that allows SMB, but not NTFS access to the 'everyone' identity). Once an adversary has this level of access, they can then send specially crafted packets over the network or locally to get the affected host to run arbitrary code as the system identity. This affects Server 2012 and up: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17096
Impact of Work:
Our exchange host will be rebooted at least once tonight to propagate security fixes. This may interfere with our ability to send and receive mail intermittently, while patches are being applied. A direct ticket update via the helpdesk portal will still work, as will a phone call.
All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 9:30PM, with some exceptions.
Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them.
Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters. Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density.
Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately.
Please contact us with any questions / comments / concerns.