Dear Valued Clients,
We have received an update from our server technicians indicating that ACCUHyperV-OVLON server requires the installation of Critical Windows updates. This maintenance schedule will involve approximately 30 to 60 minutes of downtime.
This maintenance will affect your VPS if your VPS name starts with OVLONS01, OVLONE01, OVLONE02 and OVLONS02.
Purpose of Work:
February's patch Tuesday has arrived, and Microsoft has cranked up the heat today. There are 75 windows vulnerabilities being patched this month, compared to 51 in February 2022 and 56 the year before that; a noteworthy increase in patching volume.
Of those 75 vulnerabilities, 3 are under active exploitation, with no public disclosure aside from that. Of those under active exploitation, there's one that can be used for Remote Code Execution, affecting Microsoft Exchange Server. We'll lead with that, in the highlights.
Preliminary reports from early adopters indicate no apparent widespread issues, and the test environment has shown no major trouble, post-update. Most known issues from previous patch cycles appear to be resolved, per https://learn.microsoft.com/en-us/windows/release-health/status-windows-10-1607-and-windows-server-2016 and the other subpages accessible through the sidebar at that page. A few situational issues linger, but nothing worth highlighting here.
We've got a few pretty noteworthy ones for the patched vulnerability highlights, this month.
First up, there's a series of Remote Code Execution vulnerabilities affecting and leveraging all supported versions of Exchange Server, for the most part ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21529, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21707, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21710, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21706 ). From that list, https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21529 in particular is currently being used to actively attack servers, using basic user authentication to execute administratively elevated code via the powershell backend on vulnerable exchange servers. This one is an incomplete fix, from a vulnerability patched last fall. Beyond that, the other vulnerabilities in that assortment are not reported as 'in the wild', but they all involve some level of user authentication without user interaction that essentially mean a compromised RDP or webmail password could result in a compromised server and a foothold into your network. None of these patches seem to cite a need for additional actions to activate the fix, unlike many previous exchange security patches.
Second, there's an Arbitrary Code Execution vulnerability leveraging Microsoft Word, and affecting all Word, Office and Sharepoint products that utilize it ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716 ). I will note that the CVSS for this one is uncommonly high (at 9.8/10!), essentially putting it on par with wormable vulnerabilities, in its risk assessment level. This is owing to the fact that this vulnerability requires essentially no user interaction, as they've classified it. A user need only be logged into outlook with the preview pane enabled, and a malicious email with its payload in a word document will be able to kick off code execution in the background. Pair this with any Elevation of Privilege vulnerability, or somebody logged in as admin checking their email, and you've got a compromised server instead of a compromised user.
Third in line, we have another Elevation of Privilege vulnerability leveraging the Common Log File System driver, and affecting all supported versions of Windows ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23376 ). As an EOP vulnerability, this is essentially gasoline to an RCE vulnerability's spark. Should somebody develop a working exploit for that Microsoft Word vulnerability in spot #2, you've got a fire to contend with.
The fourth spot goes to a Security Feature Bypass vulnerability leveraging and affecting all supported versions of the Office 365 desktop apps ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21715 ). Like most of the other highlights so far, this one is under active attack / is 'in the wild'. It's a little unclear what the exact impact of this one is, but it sounds like a bypass of default macro or "mark of the web" file execution blocking that users see when opening downloaded unsigned executables or office documents with macros in them, which means it may be used to enhance social engineering scams.
Fifth on the list is a trio of Remote Code Execution vulnerabilities leveraging Network Policy Server, and affecting all supported versions of Windows running it ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21692 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21690 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21689 ). To clarify that statement a little bit, Network Policy Server is a Windows feature generally used by RADIUS servers, so if you have one in your environment, patch it ASAP. This vulnerability is confirmed to be wormable, requiring nothing but the ability to establish a connection to your Radius server (no logins needed) to spread.
Spot six goes to an RCE vulnerability leveraging the SQL ODBC Driver, and affecting Microsoft SQL "Server" 2014 and up ( https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21718 ). To quote the article directly for this one: "An attacker could exploit the vulnerability by tricking an un-authenticated user into attempting to connect to a malicious SQL server database via ODBC. This could result in the database returning malicious data that might cause arbitrary code execution on the client.", so this is less of a server vulnerability and more of a client vulnerability, even if the client is technically part of the server libraries. DBAs beware.
As usual, we're only scratching the surface with the highlights. The rest of the updates this month are all reviewable at https://msrc.microsoft.com/update-guide with the proper filtering.
Maintenance Date / Time:
OVLONS01 : Feb 18, 2023 - Saturday - 10:00 PM MST
OVLONS02 : Feb 18, 2023 - Saturday - 11:00 PM MST
Maintenance Impact & ETA of Outage:
During the update process, your VPS will be inaccessible.
We thank you for your co-operation.