RSS Feed

Purpose of Work:

September's Patch Tuesday has arrived, and while there's a few standout vulnerabilities, volume seems normal. There are 64 windows vulnerabilities being patched this month, compared to 66 in September 2021.

Preliminary reports from early adopters indicate no apparent widespread issues, which is about what we'd expect.  Still, the test environment will be updated first and monitored for any showstoppers.

Of those 64 vulnerabilities, only one is under active attack, and another one is a proper zero-day threat, in that it's wormable and affects a wide scope of hosts.

To get into the highlights, we'll start with the vulnerability under active exploitation: a local code execution vulnerability affecting Microsoft Edge and other chromium-based browsers ( ).  You'd have to interact with a malicious webpage for this to affect you, from what I'm seeing, so this is more of a concern on workstations, VDIs and RDS servers.

Second on the list, we have the wormable vulnerability: a Remote Code Execution vulnerability leveraging the TCP/IP service, on all supported versions of Windows Server and Windows ( ).  Since TCP/IP support is in the windows kernel, all code executed through this vulnerability would be automatically elevated.  This vulnerability requires attackers are able to send a given host a specially crafted IPv6 packet, so hosts with no IPv6 address or protocol support enabled will be safe.  That said, since IPv6 (and an APIPA address) are defaults in most cases, it's important to roll this one out quickly, since it still has a potentially broad scope of applicability.

Third up, there are two more wormable vulnerabilities, with what may be a more limited scope: Remote Code Execution vulnerabilities leveraging the IKE Protocol Extensions stack, on all supported versions of Windows Server and Windows ( ).  The executive summary for these ones is a little vague about the details, beyond that an attacker can send a specially crafted IKEv1 packet to any windows host with IPsec enabled to more or less open an RCE backdoor to the host.  As with the previous vulnerability, these ones will automatically run privilege elevated code.  The scope is a little more ambiguous, however: it's unclear if you simply need to have IKE supported in the networking protocol stack, or if you have have an actual IKE listener set up (as part of a tunnel or IPSec VPN dial in client).  We'll be erring on the safe side.

Fourth up, there's a Denial of Service vulnerability leveraging the Windows DNS Server service, on all supported versions of Windows Server ( ).  While not as high-stakes as the parade of RCE vulnerabilities above, giving attackers an easy way to bring any server with the DNS roll installed and running down is of course, to be avoided.  In particular, environments with a domain controller will want to see this deployed quickly.

Number 5 is a slightly more obscure one with less information: an Arbitrary Code Execution vulnerability affecting all supported versions of .net framework ( ).  It sounds like on the client level, a user would have to download and run a specially crafted file for this to be exploited, but a website running .net may be targeted in the same way, if you can get it to access said file.  Something for the webservers to watch out for.

The sixth vulnerability is an Elevation of Privilege vulnerability leveraging the Windows Common Log File System Driver, and affecting all supported versions of Windows Server and Windows ( ).  This one has been reported by multiple agencies, and may be seeing some use in the wild, but it hasn't yet been reported as such.  As is the case with all EOP vulnerabilities, an attacker must first have a foothold to take advantage of it, but with the low attack complexity, it may not need to be much of one.

The final vulnerability I'll expand upon is a Remote Code Execution vulnerability leveraging the Remote Procedure Call Runtime, and affecting all supported versions of Windows Server ( ).   This one looks like it could be wormable and wide-scoped, based on the fact that it's targeting a core windows service,  the Network attack vector, and no user interaction or privileges required.  The only thing holding it back from being more of a showstopper is the apparently 'high' attack complexity, explained thusly: "Successful exploitation of this vulnerability requires an attacker to invest time in repeated exploitation attempts through sending constant or intermittent data.  An unauthenticated attacker on local networks could spoof their IP address as localhost and access functionality in portmap.sys intended to only be reachable from localhost."

I'll add that none of the vulnerabilities this month (including yet more Print Spooler and Kerberos Elevation of Privilege vulnerabilities) seem to require additional action, beyond installing a given patch.

That's all for the highlights, but as usual, there's plenty more where that came from, all reviewable at with the proper filtering.

Impact of Work:

All affected hosts that are 2012 and up will be rebooted automatically / ASAP to propagate fixes, starting at 10:00PM, with some exceptions.

Internal systems on Windows 2012 and up (such as the management portal) may be temporarily impacted in the time it takes to reboot them.  Mail delivery to our helpdesk may be temporarily halted while our mail servers are updated as part of this patch cycle.  If you receive a delivery failure, you can still reach us by logging directly into the helpdesk and submitting a ticket directly via the portal, or calling us at 303-414-6910 x2, for emergencies.  

Hypervisors in a failover cluster will have rolling reboots done, in order to eliminate VPS downtime on said clusters.  Hypervisors not in a failover cluster will either be updated overnight, or have their updates scheduled, depending on customer policy / VM density.

Hypervisors in DR scenarios may be updated up to one hour early, as they are not running active workloads.

Any hosts where updates are managed directly by the customer (or an approval process is required for zero-day updates) will not be impacted; the controlling organizations will be notified separately.

Please contact us with any questions / comments / concerns.

Comments (0)
Post a new comment
Full Name:
CAPTCHA Verification 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).