Completion [Thu 14 Jan 2021 12:17:47 AM MST] Our post update night audit reveals that the vast majority of servers successfully updated overnight. A few one-off reboots will need to be conducted from here, but they will be done after-hours or scheduled separately where needed.
Purpose of Work:
2021's first patch Tuesday has arrived, and there's a few notable vulnerabilities to be dealt with this time around.
First off, there's a publicly-disclosed escalation of privilege vulnerability affecting windows 2012+ that was introduced with a patch for a similar vulnerability. This publicly disclosed vulnerability has a proof-of-concept exploit, and will likely be exploited in the wild, soon: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1648
Secondly, there's a remote desktop security feature bypass vulnerability affecting windows 2012+. Microsoft has yet to disclose what is being bypassed, but the high CVSS score of 8.8/10 and low complexity is worrisome, implying perhaps the ability to spoof or bypass an authentication: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1674
Third, Microsoft has found a remote code execution vulnerability in Windows Defender that was being exploited in the wild upon their discovery. This one has likely already been patched on any host with internet access and the default automatic definition updates that windows defender has, but is worth mention for those who have overridden those settings. Fully managed clients should be covered already. https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1647
Fourth, there is a Hyper-V escalation of privilege vulnerability affecting server 2012+. Details are sparse, but it does appear to require local access to the host. That said, any hypervisor running a web-accessible service might be at risk: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1704
And fifth of all, there is a remote code execution vulnerability affecting the RPC service on 2008+ that can be done over the network and has a CVSS score of 8.8, as well as low privilege requirement. While that doesn't seem to be wormable (since it require some level of privileges), it is worth patching ASAP. There are actually a few CVEs for similar exploits: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1658 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1660 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1702
Impact of Work:
All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 11:15PM, with some exceptions.
Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them.
Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters. Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density.
Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately.
Please contact us with any questions / comments / concerns.