Monthly Security Patching for Fully-Managed Windows 2012+ servers - September 14, 2021
Posted by David Cunningham on 14 September 2021 08:31 PM
Purpose of Work:|
September's Patch Tuesday has arrived, and as usual, there's enough vulnerabilities to justify day 1 overnight patching.
First off, there's a zero-day RCE vulnerability leveraging the ActiveX controls in the MSHTML feature, affecting Windows server 2008 and up ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 ). This vulnerability requires minimal user interaction, and will execute code in their own user context. It's currently being exploited in the wild, using office documents with malicious web content as the delivery mechanism for malicious payloads. Microsoft released this patch out-of-band last week, as such. We've patched most remote desktop environments for this already: general server patching will follow, tonight.
Secondly, there's a zero-interaction RCE vulnerability leveraging the Windows WLAN Autoconfig service, and affecting Windows server 2008 and up (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36965). As we are a datacenter, Wifi is not in use on our server workload, so this patch will be applied only incidentally, as part of the monthly rollup. However, it's worth announcing, as it is wormable, as long as there is a rogue or infected host on a wifi network where devices that are running this service are connected. Organizations running mobile workstations should take notice.
Third off, there's a memory corruption vulnerability leveraging the Windows Scripting Engine that affects Windows Server 2008+ ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26435). This vulnerability requires user interaction, either via opening a file, or a webpage with a malicious file embedded in it. It not currently detected in active exploitation. In general, memory corruption vulnerabilities require more creative exploits to be leveraged successfully.
Forth, there are various elevation of privilege vulnerabilities, leveraging several roles (and one kernel vulnerability), affecting server 2008+ ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36974, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40447, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38671 ). EOP vulnerabilities in general are a can of worms on any webserver, since a compromised website can easily turn into a compromised server.
Finally, Microsoft has disclosed several Elevation of Privilege vulnerabilities for various system components on Windows 2008 and 2008 R2 ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36968 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38625 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38626 ). There are a great demonstration as to why it's important any 2008 or below hosts are upgraded to 2012+; said patches are not available without ESU licensing.
Impact of Work:
All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 9:30PM, with some exceptions.
Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them. Mail delivery to our helpdesk may be temporarily halted while our mail servers are updated as part of this patch cycle. If you receive a delivery failure, you can still reach us by logging directly into the helpdesk and submitting a ticket directly via the portal, or calling us at 303-414-6910 x2, for emergencies.
Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters. Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density.
Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately.
Please contact us with any questions / comments / concerns.