Monthly Security Patching for Fully-Managed Windows 2012+ servers - November 9, 2021
Posted by David Cunningham on 09 November 2021 07:58 PM
Purpose of Work:|
November's Patch Tuesday is here, and as usual there's a few standout vulnerabilities we'll be patching tonight.
First off, we have another Exchange RCE vulnerability: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17084, which sounds like it's some kind of regression bug, exposing an old vulnerability again. This will require we reboot our exchange server to apply, so mail will be temporarily halted for a brief window during maintenance tonight. You can still submit tickets to the helpdesk via the web interface, or call in if there's an urgent issue. Our helpdesk mail will be queued up and delivered when the server is back up, if not.
Secondly, there's an RCE vulnerability for windows NFS server (all versions): https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17051. This one isn't going to apply to any host we manage, as far as I'm aware. However, the network vector, no privileges required, 'likely' exploitation assessment, and low complexity all point to a vulnerability that is likely wormable... so those of you running NFS shares on windows for use with Linux hosts, beware. No exploitation detected in the wild, but when it hits, it'll hit fast.
Third off, there's a local elevation of privilege vulnerability affecting the Windows Kernel (2008+): https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17087. This one is actually out in the wild as an exploit, so we'll want to patch that ASAP; 0-day vulnerabilities like this are how compromised websites become compromised servers, in a hurry.
Fourth, we have yet another print spooler RCE vulnerability ( 2008+): https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17042. Details are a bit thin as to how this one works right now, but, probably in a similar way to PrintNightmare. No exploitation detected in the wild, yet.
Fifth, but not least, we have an RCE vulnerability for remote desktop clients (Windows 7+): https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-38666. This would not affect the majority of our managed servers, since we don't make a habit of using them to RDP elsewhere... but anyone reading this is going to want to update their workstation operating system, and soon. This sort of thing is how compromised servers become compromised workstations.
Impact of Work:
All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 9:30PM, with some exceptions.
Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them. Mail delivery to our helpdesk may be temporarily halted while our mail servers are updated as part of this patch cycle. If you receive a delivery failure, you can still reach us by logging directly into the helpdesk and submitting a ticket directly via the portal, or calling us at 303-414-6910 x2, for emergencies.
Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters. Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density.
Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately.
Please contact us with any questions / comments / concerns.