Dear Valued Clients,
We have received an update from our server technicians indicating that ACCUHyperV-New York server requires the installation of Critical Windows updates. This maintenance schedule will involve approximately 30 to 60 minutes of downtime.
This maintenance will affect your VPS if your VPS name starts with CYNY.
Purpose of Work:
January's patch Tuesday has arrived, and they're starting off the year as busy as anyone. There are 98 windows vulnerabilities being patched this month, compared to 96 in January 2022.
Of those 96 vulnerabilities, 1 is under active exploitation, and another is publicly disclosed. Neither of these vulnerabilities are remote code execution vulnerabilities.
Preliminary reports from early adopters indicate no apparent widespread issues, and the test environment has shown no major trouble, post-update. All known issues from previous patch cycles appear to be resolved, per https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-1607-and-windows-server-2016 and the other subpages accessible through the sidebar at that page.
This includes the ODBC connection problems and the LSASS memory leak lingering from the last two patch cycles. Overall, this seems like it might end up going better than last year's January patch cycle, though we will be allowing for more testing time before we fully commit to this one, tonight.
To usher in the highlights, we'll begin, as always, with the vulnerability currently 'in the wild'. This time it's an elevation of privilege vulnerability leveraging the Windows Advanced Local Procedure Call internal feature, and affecting Windows 8.1 / Windows Server 2012 R2 and up ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21674 ). This one is fairy scary for end-users, as a malicious payload that a Chromium browser (such as Edge) receives can be used to escape the browser sandbox and elevate to the local SYSTEM identity. When paired with a code execution payload, this could be used to deploy ransomware to a given server. This bug was reported by Avast, so that seems likely at this point.
2nd on the list, we have the publicly disclosed vulnerability, an elevation of privilege vulnerability leveraging the Windows SMB Witness service and affecting Windows 8.1 / Windows Server 2012 and up ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21549 ). Normally any vulnerability with SMB in the name is going to be cause for universal alarm within windows environments, but the SMB Witness service is one only in use by Windows Server environments that make use of failover clustering (such as clustered hyper-V, SQL and file servers). Those servers are also usually going to be fairly locked down. However, if you have any non-privileged users that are compromised in such a scenario, or have made the mistake of having a webserver on the same host, this could very easily become a problem.
3rd up, we have a pair of elevation of privilege vulnerabilities affecting and leveraging all supported versions of on-prem exchange ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21763 ). This is actually a regression, or, perhaps more accurately, failed patching of https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41123 from the November patch cycle, so we'll be making a priority of this one. Notably, it requires additional mitigation actions beyond installing the patch.
4th on the list, we have a remote code execution vulnerability leveraging the ODBC driver and affecting Windows 7 / Windows server 2008 and up ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21732 ). Web hosting servers in particular are going to need this one patched, since some managed code could be able to interact with the ODBC driver without end-user trickery being required. Notably, any code executed with this vulnerability is pre-elevated, running in the SYSTEM security context.
5th up, there's a few security feature bypass vulnerabilities affecting Bitlocker on Windows 7 / Windows Server 2008 and up ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21563 / https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41099 ). This is only a concern to those who are running bitlocker to encrypt their windows volumes. Those paying attention to the CVE names will note that one of these is from November 2022: I'm mentioning that one because today, Microsoft updated the vulnerability with the unique additional required step to apply protections of patching the recovery partition, if one exists.
There are a few other vulnerabilities worth mentioning offhand without further detail: a SharePoint Server security feature bypass that apparently allows attackers to bypass authentication and get access ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21743 ), another Microsoft Office arbitrary code execution vulnerability ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21734 ), several L2TP RCE vulnerabilities ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21734 , one of many), and a trio of print spooler EOP vulnerabilities ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21678 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21765 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21760 ).
As usual, we're only scratching the surface with the highlights. The rest of the updates this month are all reviewable at https://msrc.microsoft.com/update-guide with the proper filtering.
Maintenance Date / Time:
CVNY : January 22, 2023 - Sunday - 12:45 AM MST
Maintenance Impact & ETA of Outage:
During the update process, your VPS will be inaccessible.
We thank you for your co-operation.