Purpose of Work:
February's Patch Tuesday is underway, and there are some notably bad vulnerabilities this time around.
First and foremost, there's CVE-2021-24078. This one is a remote code execution vulnerability that affects a privileged service, the DNS server, on Server 2008+. With a low attack complexity that can be done over the network, and requiring no user interaction, this is likely a wormable vulnerability, and any code run using it will run in the System context automatically. Microsoft has yet to provide a mitigation or workaround in their executive summary. To those fully managed customers yet to move away from a host running Windows Server 2008 R2 or earlier: these kinds of vulnerabilities are exactly the reason to move away from end-of-life operating systems that will not be patched ASAP.
Second, there's CVE-2021-24094 and CVE-2021-24074. These are both remote code execution vulnerabilities affecting the TCP/IP Stack (ipv4 and ipv6, respectively) on Server 2008+. Like the previous vulnerability, these are pre-authentication, network-accessible vulnerabilities that would allow injected code to run in a privileged service context. What's different here is that Microsoft has provided workarounds in their executive summary for both, and by default, the IPv4 mitigation should already be in place. We look into confirming this on all managed hosts we are unable to patch this cycle.
Third, there's CVE-2021-26701, a remote code execution vulnerability affecting .net 5.0 and certain versions of .net core. There is little information about this one, but the attack complexity is high, and this likely will result in websites using the listed frameworks being easily compromised and used to attempt to take over a host. The vulnerability does not include escalation of privilege on its own, unlike the last two.
Fourth, there's CVE-2021-1732, an escalation of privilege exploit leveraging the kernel on Server 2019+ and Windows 10 1803+. This one appears to have functional exploits that have already been detected in the wild, making it truly 0-day. We will be patching it tonight alongside the rest.
Impact of Work:
All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 11:15PM, with some exceptions.
Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them.
Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters. Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density.
Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately.
Please contact us with any questions / comments / concerns.