Monthly Security Patching for Fully-Managed Windows 2012+ servers - August 10, 2021
Posted by David Cunningham on 10 August 2021 06:15 PM
Purpose of Work:|
August's Patch Tuesday has arrived, and we have more than a few vulnerabilities that are publicly known or being leveraged in attacks this month.
First off, there's an Elevation of Privilege vulnerability for Windows 10 / Windows server 2019+, leveraging the "Windows Update Medic Service", a new auto repair service in newer releases of Windows ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36948). This Microsoft has detected active exploitation of this vulnerability. Elevation of privilege is of course going to be especially alarming in the context of a webserver, or any web-accessible service that is both easily discovered and easily interacted with.
Secondly, we have an LSA spoofing vulnerability, affecting all versions of Windows Server since 2008. ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942 )It seems this vulnerability can be used to trigger unexpected behavior in hosts through the LSARPC interface (a feature in SMB). This appears to be most impactful when using it to force a domain controller to authenticate against another server using NTLM without any level of access. This vulnerability is currently publicly known, and we'll be patching it tonight, in addition to reviewing the additional guidance section throughout the week.
Third of all, we have yet another Remote Code Execution vulnerability, affecting all versions of Windows since Server 2008, and leveraging the Print Spooler service ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36936 ). This one is listed as required 'low' privileges, so it likely isn't as much of a showstopper as last month's "PrintNightmare" bug. It is, however, another publicly disclosed vulnerability.
Fourth on the menu, there is an RCE vulnerability affecting all versions of windows since Server 2008, and leveraging the TCP/IP stack ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26424 ). The specific example given in the executive summary is "This is remotely triggerable by a malicious Hyper-V guest sending an ipv6 ping to the Hyper-V host. An attacker could send a specially crafted TCPIP packet to its host utilizing the TCPIP Protocol Stack (tcpip.sys) to process packets.". I do not know if this affects Hyper-V exclusively, but that may be the case.
Fifth up, we have a slightly unusual one: an RCE vulnerability leveraging the Remote Desktop Client. This one affects versions of Windows since 2008R2, and seems to be public at time of writing. It's also one that would primarily affect endpoints connecting to a compromised server; for example, opening the Hyper-V console to look at a compromised guest, or RDPing into a compromised server directly.
There are other critical vulnerabilities, but those are enough reason for us to proceed with the usual round of reboots on patch night, rather than letting things update on an automatic schedule.
Impact of Work:
All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 9:30PM, with some exceptions.
Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them. Mail delivery to our helpdesk may be temporarily halted while our mail servers are updated as part of this patch cycle. If you receive a delivery failure, you can still reach us by logging directly into the helpdesk and submitting a ticket directly via the portal, or calling us at 303-414-6910 x2, for emergencies.
Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters. Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density.
Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately.
Please contact us with any questions / comments / concerns.