[Completed] Monthly Security Patching for Fully-Managed Windows 2012+ servers - March 9, 2021
Posted by David Cunningham on 09 March 2021 10:48 PM
Completion, Thu 11 Mar 2021 12:31:26 AM MST|
We've finished updating all hosts except a few that are highly available (and thus should not result in any actual customer downtime), so no further impacts due to windows updates are expected.
Update, Wed 10 Mar 2021 12:44:03 AM MST:
Many hosts have been rebooted, and we are continuing to monitor to ensure they come up without incident. We'll continue to manage reboots throughout the night, checking for any hosts that were unable to update and finishing their updates tomorrow night.
Purpose of Work:
March's patch Tuesday is underway, and while Microsoft did get alot of urgent Exchange-related patches released early this month ( See: https://helpdesk.handynetworks.com/supportsuite/index.php?/News/NewsItem/View/299/completed-emergency-out-of-band-security-patching-for-fully-managed-exchange-mail-servers-march-2nd-2021 ) , there's still a few vulnerabilities of note that we'll be taking care of on fully managed hosts, tonight.
Firstly, a few of these exchange patches have new revisions out ( https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855 ). We'll be reapplying these to the handful of exchange hosts we manage.
Second, there's another DNS RCE exploit that affects 2008+ ( https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26897 ). This is, as always, a priority patch. The DNS service runs as local system, so effectively, RCE exploits targeting the DNS server can be used to compromise a host outright. The executive summary implies this might be related to (or at least, exacerbated by) the configure of insecure dynamic updates on Windows DNS servers. While the exploit does affect 2008, which will not be patched, I will note that this configuration is not the default on any hosting panel or platform we manage, at least. 2012+ hosts will be patched.
Third, there's an IE memory corruption vulnerability that affects IE 9+ (and Edge): ( https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26411 ). The executive summary clarifies that this requires user interaction, so ASP sites that use underlying explorer libraries are probably unaffected by this. This would be more of an issue on RDS servers that have users who run explorer or edge.
Fourth, there's a generic escalation of privilege affecting windows 2008+ (https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27077). The executive summary has little detail, but of course, these kinds of vulnerabilities could potentially exacerbate small-scale website or application compromises and turn them into host compromises, if left unpatched.
Impact of Work:
All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 11:00PM, with some exceptions.
Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them.
Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters. Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density.
Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately.
Please contact us with any questions / comments / concerns.