Monthly Security Patching for Fully-Managed Windows 2012+ servers - October 12, 2021
Posted by David Cunningham on 12 October 2021 08:56 PM
Purpose of Work:|
October's Patch Tuesday is here.
Surprisingly, there's no bugs this cycle that have the internet particularly spooked, but we'll still be doing a timely patch cycle.
Here's a few lowlights for this month:
First off, there's a locally vectored elevation of privilege bug leveraging the kernel, affecting Server 2012 and up ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40449). This is confirmed to have been leveraged in at least one malware attack, judging by the exploit code maturity.
Secondly, there's an adjacent network vectored remote code execution vulnerability leveraging Exchange server, affecting Exchange 2013 and up (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26427). Since it's adjacent network vectored, it should only be exploitable by hosts within the same layer 2 network, or even via RFC1918 subnets only. Naturally, we'll be updating our exchange server, if only for good maintenance practices.
Third off, there's an adjacent network vectored remote code execution vulnerability leveraging Hyper-V, and affecting Server 2019 and up ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40461 ). Not alot of detail about this one, but I'd guess VMs on the same layer-2 subnet of their hypervisor could break sandboxing in some fashion. The attack complexity is high, and there doesn't appear to be any exploitation detected, as of yet.
Fourth, there's a network-vectored remote code execution vulnerability leveraging the MS DNS server, and affecting windows 2008 and up ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40469 ). Normally this would be of high concern and priority (since every RCE vulnerability affecting DNS server is also an EOP vulnerability...), but Microsoft has listed the privileges required to run this as 'high', implying somebody would already need to have some level of admin or system-level access to a host to exploit it. Odd, and perhaps a clerical error, so that's reason enough to drive this patching event.
Impact of Work:
All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 9:30PM, with some exceptions.
Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them. Mail delivery to our helpdesk may be temporarily halted while our mail servers are updated as part of this patch cycle. If you receive a delivery failure, you can still reach us by logging directly into the helpdesk and submitting a ticket directly via the portal, or calling us at 303-414-6910 x2, for emergencies.
Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters. Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density.
Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately.
Please contact us with any questions / comments / concerns.