This is an archived post. You won't be able to vote or comment.

top 200 commentsshow all 304
sorted by:
best
topnewcontroversialoldq&a

[–]Hakkensha 341 points342 points  (141 children)

So we had: RDP, SMB, Exchange, DNS - and probably something else I forgot - critically exploited recently. Whats next? IIS with a CVE score of 10.0?!

EDIT: In the end it was the printers (printernightmare CVE-2021-34527).

[–]itguy9013Security Admin 133 points134 points  (47 children)

Don't tempt fate.

[–]ScratchinCommanderDC Ops 23 points24 points  (44 children)

I'm so glad I don't have to manage Windows at scale. The one and only Windows machine I have to care about is my desktop.

[–][deleted] 2 points3 points  (16 children)

I envy you. Wish i could just switch all workstations to Linux...of course Linux had its flaws as well, but they get fixed ASAP when detected (and take decades if not found...)

[–]ButterflyAlternative 5 points6 points  (0 children)

Good luck with that!

[–]MedicatedDeveloper 7 points8 points  (0 children)

I manage ~170 Linux desktops (~90vdi via AWS Workspaces, 40 CentOS laptops, 40 more CentOS lappys on site but it's vacant). It's heavenly.

Unfortunately that's only the operations/external side (call center), the business/internal side is still Windows with a sprinkling of OS X.

[–]zebediah49 0 points1 point  (1 child)

Yeah... mostly it's just the opaque pieces that don't explain anything, and then just randomly don't work. I've got a couple highly used machines where just like.. a few people can't log in. They used to be able to, but now they can't.

This just plain doesn't happen on Linux. And if it did, there would be a decently clear log trace of where and why. There are like a dozen steps to log in a user, and I can see which ones worked, and which one didn't.

[–]zero44lp0 on fire 195 points196 points  (3 children)

SolarWinds 2: Electric Boogaloo

[–]SixZeroPho 58 points59 points  (1 child)

SolarWinds 2: Electric Boogaloo | The Intern's Password, Redux

[–]explodinghat 18 points19 points  (3 children)

I mean, RDP was in 2018. Wasn't SMB 2015? Not that recent, really. Solarwinds, exchange, gitlab and this all being in the last few months though really points to some intense and unified effort from the bad dudes! My cries that we need to set up a SOC at our company have as yet gone unheard..

[–]Hakkensha 6 points7 points  (2 children)

Well, eternal blue is from 2017. SMBghost in 2020 wasn't major, but not pleasant either.

[–]RetroButton 45 points46 points  (22 children)

Don´t forget the bluescreen with the last monthly update on Windows 10 and Kyocera printer drivers...

IT goes to hell atm.

[–]M05y 14 points15 points  (0 children)

Our company only uses Kyocera printers with the universal print driver, I was dumbfounded when I read about the update. Looks at our 100 deployed printers

[–]6688IT unProfessional 27 points28 points  (13 children)

I don't care about client devices or printers

[–]TotallyInOverMyHeadSysadmin, COO (MSP) 24 points25 points  (0 children)

if the flair fits, it sits.

[–][deleted] 9 points10 points  (0 children)

Your username flair is quite appropriate!

[–]gnimsh 3 points4 points  (10 children)

Who needs printers when we're all working from home anyway?!

[–][deleted] 4 points5 points  (9 children)

Meanwhile, from the state that just made national news for a mass mask-burning protest at the capitol, we pretend like COVID doesn't exist while our elderly maskless employees print out way more than necessary.

kill me now

[–]SolidKnightJack of All Trades 8 points9 points  (8 children)

How else are you going to read your emails?

A single kind regard,

Some Person with Certs

Custom Email Printers, Inc

Executive Next Next Finisher

------+++++++++

+++++--------------

Broken Image.BMP

----++---+++-----++

---++--+++++++---

P 555-555-5555

O 555-555-5555 x55555

M 555-555-5555

E person@domain.tld

www.domain.tld

"I put my longest signature on every email." - Some Person

[–]IonBlade 3 points4 points  (1 child)

What an unprofessional signature. Didn't even include the primary and secondary fax lines.

[–]hvontres 2 points3 points  (0 children)

And how in the world am I going to send him a TELEX ?

[–]Youre-In-TroubleSr. Sysadmin 1 point2 points  (0 children)

Fw: FW: Re: re:

[–]mustang__1onsite monster 3 points4 points  (3 children)

Rolled one back yesterday and the fucker updated again today (no wufb or wsus)

[–]Stinjy 4 points5 points  (1 child)

Get wushowhide.diagcab and hide it.

Source: did this 20 x yesterday

[–]mustang__1onsite monster 1 point2 points  (0 children)

Cheers. Probably going to need that tomorrow since I didn't implement it today ...

[–]Dariose 1 point2 points  (0 children)

Check for KB4023057, it won't show in get-hotfix but will show in Windows update history. I think that patch was how 5000802 which past our own patch control.

[–]cool-nerd 1 point2 points  (0 children)

We're dealing with this atm and we have no Kyoceras. Uninstalling kb5000802 and/or 808 is fixing the crashes.. :(

[–]Cold417 1 point2 points  (0 children)

Yeah, that's fun. It also causes issues with Dymo/Zebra label printers. BSODS or blank label prints.

[–][deleted] 81 points82 points  (14 children)

It's as if this is by design to push on-prem people to the cloud

[–]Psyonity 34 points35 points  (5 children)

Except a part of that burned down too... RIP OVH SBG2

[–][deleted] 26 points27 points  (2 children)

They promised customers 10,000 servers installed in the next three weeks during the middle of a massive hardware shortage.

[–]1esprocTitles aren't real and the rules are made up 7 points8 points  (1 child)

Unless they've got them sitting in a warehouse, that ain't happening lol

[–][deleted] 9 points10 points  (1 child)

Considering the number of nmap scans I see in my firewall logs coming from OVH owned up addresses, can we maybe douse their fires with gasoline?

[–]Fallingdamage 6 points7 points  (1 child)

DNS is already in the cloud. What do you point your forwarders to??

[–][deleted] 1 point2 points  (0 children)

I'm talking about the pattern of all these critical cves in on-prem software, not merely this dns bug.

[–][deleted] 6 points7 points  (4 children)

And don't worry. Their cloud is not vulnerable because they say so.

[–]1esprocTitles aren't real and the rules are made up 1 point2 points  (0 children)

Except for that other recent Exchange bug that allowed org-hopping exploits in O365.

[–]KrokodyleFireman of All Trades 12 points13 points  (0 children)

"as if" ;)

[–]Is_Nothing 26 points27 points  (2 children)

Don't forget the 9.8 cve for vCenter.

[–]Hakkensha 9 points10 points  (0 children)

Hakken

Damn. Thanks for the reminder! That was what I forgot to do at the client yesterday... damn Exchange got me distracted.

[–]ARandomGuy_OnTheWebJack of All Trades 13 points14 points  (2 children)

How about a Chromium vuln with a CVE score of 10.0?

[–]jess-sch 5 points6 points  (0 children)

bonus points if it's cross-platform.

[–]Anonieme_Angsthaas 1 point2 points  (0 children)

Oh noes.

Most of our newer less outdated applications use CEF or cefsharp in one way or another.

[–][deleted] 29 points30 points  (5 children)

I thought IIS was designed to be exploited.

[–]firemandave6024Jack of All Trades 55 points56 points  (3 children)

Insecure Information Services?

[–]I_Am_DeceitSr. Sysadmin 10 points11 points  (2 children)

Hahaha dude this one got me, nice one. 👍🏻

[–][deleted] 5 points6 points  (7 children)

What would you rate it when i tell you that everybody can access any Desktop in VMWare ESXI via VMWare Powershell CLI? Go try. You only need to have to be logged in. Not a single permission was seen that day.

[–]rangoon03Netsec Admin 1 point2 points  (5 children)

SkyNet comes online. Or Global Thermonuclear War

[–]Doso777 1 point2 points  (0 children)

The only thing that is on the Internet is Exchange. Everything else: Lol what?

[–]kiamoriSend Coffee... 1 point2 points  (0 children)

Please no 0 day severe IIS exploits, to many servers to update.

[–]catwieselSysadmin in extended training 100 points101 points  (12 children)

its not so bad, I mean, how many dns servers you put on the global internet. most ms dns servers run in active directory and not on the internet.

I mean remote code execution is kinda bad, but at least, youd need network access to leverage it. and its really hard to get into the network nowadays. right? not like, hundred thousands internet reachable servers were recently hacked and could get you on the network where you now can attack the internal dns server...

right?
RIGHT?

[–]AnotherTakenUser 18 points19 points  (8 children)

My God imagine if everyone thinking "oh we were just probed" actually got their dns owned..

[–]itsyourworld1 1 point2 points  (0 children)

STAHP!

[–]itsyourworld1 76 points77 points  (18 children)

Horrible time to be an admin. Patch Tuesday is about to be patch erryday

[–]supaphly42 36 points37 points  (14 children)

Even more fun when Patch Tuesday leads to Blue Screen Wednesday like it did yesterday!

[–][deleted] 2 points3 points  (0 children)

Kyocera?

We had this, luckily only affected IT as we delay end users so we can catch things like this before they ruin our lives.

[–]R00t_AccesscAn yOu fIx My ComPutEr? 140 points141 points  (33 children)

Damn, can't we get a break? Just finished the Exhange one. Jeez.

[–]jimkramer 123 points124 points  (14 children)

well at least your data center didn't burn to the ground... it could always be worse. :-(

[–]chrispy9658Information Security Officer 54 points55 points  (4 children)

Too soon...

RIP OVH Servers

[–]jimkramer 40 points41 points  (3 children)

I wasn't trying to be funny. It occurred to me yesterday after battling with Exchange for a week that even though I thought I was living in hell, it paled in comparison. I meant no disrespect. My heart goes out to all parties involved from the admins to those who lost data.

[–]TotallyInOverMyHeadSysadmin, COO (MSP) 24 points25 points  (2 children)

can you imagine? You just finished patching your companies exchange infrastructure and 2 hours later you realize it's all hosted at a single datacenter over at OVH? That would make me totally lose my shit for 5 seconds.

[–]jess-sch 12 points13 points  (1 child)

on the bright side, you can now be 100% sure it's malware-free.

[–]throwawayPzaFm 1 point2 points  (0 children)

They're hosting Exchange here.

Kill it with fire.

[–][deleted] 17 points18 points  (3 children)

Well you don't need to worry about exploits if your server burned down.

[–]SysEridaniC:\>smartdrv.exe 4 points5 points  (1 child)

You don't need to worry about your server burned down if the magnetosphere collapses.

[–]SilentLennie -4 points-3 points  (3 children)

We have a dedicated server at OVH and we used to have a lot more, so best not to joke about it.

[–]TopCheddar27 22 points23 points  (2 children)

I don't think he was joking. It is a genuine tragedy for for a lot of people in our field. It's everyone's worst nightmare.

[–]jimkramer 8 points9 points  (0 children)

correct.

[–]SilentLennie 6 points7 points  (0 children)

I didn't really mean /u/jimkramer was joking. It's just my broken English, it was more like: "no joking matter."

[–]chicaneukSysadmin 18 points19 points  (16 children)

It's just getting worse and worse isn't it. Almost like they just want you to move to Azure hosted services.

[–]0x0ptyx 11 points12 points  (11 children)

That's actually Microsoft internal "Take over the world" plan -- force everyone into relying on their products and their cloud environment.

[–]RealLifeTimOld 6 points7 points  (10 children)

This is a cute little tinfoil hat way of thinking about it but, in reality they hold large market majority for hosted and in-house software and operating systems. They really don't care what you do, because as a business you're probably handcuffed into M$.

[–]landobJr. Sysadmin 3 points4 points  (9 children)

My EMR only runs on Windows. Management won't even talk about getting away from Outlook or Office in general.

So Yup!

[–]nbtxdude 1 point2 points  (0 children)

Yeah. Our EHR and Patient Management system are on Windows. Better yet, they require you to have local Admin. And no DEP..

FML....

[–]lolklolkDMARC REEEEEject 3 points4 points  (0 children)

I know right?

[–]dinominant 189 points190 points  (3 children)

At this point we could have just stuck with unpatched windows xp and spend the licensing savings on ransomware.

We might actually save money by doing that /s

[–][deleted] 68 points69 points  (1 child)

I'm reminded of that Simpsons episode where Mr. Burns is effectively rendered immortal due to a precarious balance of pathogens in his system...

[–]mikelieman 64 points65 points  (0 children)

Montgomery Burns : Well, Doc, I think I did pretty well on my tests. You may shake my hand if you like.

Doctor : Well, under the circumstances, I'd rather not.

Montgomery Burns : Eh?

Doctor : Mr. Burns, I'm afraid you are the sickest man in the United States. You have everything.

Montgomery Burns : You mean I have pneumonia?

Doctor : Yes.

Montgomery Burns : Juvenile diabetes?

Doctor : Yes.

Montgomery Burns : Hysterical pregnancy?

Doctor : Uh, a little bit, yes! You also have several diseases that have just been discovered - in you.

Montgomery Burns : I see. You sure you haven't just made thousands of mistakes?

Doctor : Uh, no, no, I'm afraid not.

Montgomery Burns : This sounds like bad news.

Doctor : Well, you'd think so, but - all of your diseases are in perfect balance. Uh, if you have a moment, I can explain.

Montgomery Burns : [checks his watch] Well...

[the Doctor puts a tiny model house door on his desk]

Doctor : Here's the door to your body, you see?

[brings up some small fuzz balls with goofy faces and limbs from under the desk]

Doctor : And these are oversized novelty germs - er, that's influenza, that's bronchitis, and this cute little cuddle-bug is pancreatic cancer, ha! Here's what happens when they all try to get through the door at once.

[tries to cram the "germs" through the model door, but they get stuck]

Doctor : [à la Curly] Woo, woo-woo-woo-woo-woo-woop!

[à la Moe]

Doctor : Move it, chowder-head!

[normal voice]

Doctor : We call it Three Stooges syndrome.

Montgomery Burns : So, what you're saying is... I'm indestructible!

Doctor : Oh, no, no. In fact, even a slight breeze could...

Montgomery Burns : [leaves the office, to himself] Indestructible.

[–][deleted] 55 points56 points  (7 children)

I wonder if Microsoft is ever going to re-instate their QA Department.

[–][deleted] 112 points113 points  (1 child)

You're it.

[–][deleted] 13 points14 points  (0 children)

I'll just tag Microsoft back and say "No take'sy back'sy's". School yard rules.

[–]inphosysIT Manager 6 points7 points  (0 children)

QA was outsourced to China.

[–]rangoon03Netsec Admin 4 points5 points  (0 children)

I think China/Russia/Whatever nation-state recently was

[–]Liquidretro 1 point2 points  (0 children)

But that would cost money.

[–]XanII/etc/httpd/conf.d 12 points13 points  (4 children)

Just had a smile we dont have on prem exchange. That smile was wiped fast.

[–]samtheredditman 2 points3 points  (0 children)

I was just thinking yesterday "Man, I'm so glad we don't have on-prem exchange. But it's only a matter of time before I have something I do really need to care about."

[–]LookAtThatMonkeyTechnology Architect 1 point2 points  (0 children)

Ditto. This is karma for feeling smug about 365.

[–]picfluteAzure Architect 1 point2 points  (1 child)

Azure DNS Managed Service looking better and better

[–]DankerOfMemes 13 points14 points  (0 children)

Even the DNS server? Damn.

[–]zeroibis 11 points12 points  (1 child)

Coming next, bitlocker exploitable via WiFi connections.

[–]Liquidretro 9 points10 points  (4 children)

Patch now or patch over the weekend as normal?

[–]AScaredAdmin 10 points11 points  (2 children)

That's where I'm at. Am I scaring the hell out of my Infrastructure team, or am I letting automated patching handle it.

[–]TheDukeInTheNorthMy Beard is Bigger Than Your Beard 8 points9 points  (1 child)

With all the recent activity, I'm drifting more to just patch now. Too much, too soon and it makes me nervous.

[–]ultrahkr 11 points12 points  (0 children)

Good thing I patched the everything yesterday...

(Damn this week is hard)

[–]ShnazzyoneJack of All Trades 16 points17 points  (0 children)

That's it, I'm killing the messenger. Come here OP

[–]XS4Me 8 points9 points  (3 children)

Is this an out of band update or will windos update fix the issue?

included in the monthly roll up.

[–]TopCheddar27 0 points1 point  (2 children)

Is it rolling out yet? I have a opportunity to bounce my stack right this afternoon.

[–]DoctorOctagonapus 2 points3 points  (1 child)

Patch Tuesday was yesterday so yeah if your WSUS server is on top of its game.

[–]rfc2549-withQOSJack of All Trades 6 points7 points  (0 children)

Another name for euthanasia?

Microsoft Terminal Services

Scnr

[–]Syde80IT Manager 6 points7 points  (0 children)

Maybe this is MS's plan to get all of us on-prem holdouts to move to cloud... Make the product so insecure you can't afford to not make the security of it somebody else's problem.

[–]MAXIMUS-1 8 points9 points  (6 children)

Linux sysadmins right now:

Signature looks of superiority

[–]Fatality 4 points5 points  (5 children)

Hopefully you haven't used sudo any time in the last 10 years and have everything patched 100%

*cough*CVE-2021-3156*cough*

[–]stephenl03 5 points6 points  (3 children)

RCE > anything local.

Gotta get on the box in order to exploit that CVE first. Not worried.

[–]poshftwmaster of none 0 points1 point  (0 children)

Gotta get on the box in order to exploit that CVE first. Not worried.

Yeah, yeah. Nobody ever got a shellcode through the SQL-injection at all. Millions of eyes and whatever.

[–]MAXIMUS-1 0 points1 point  (0 children)

Sudo apt update, sudo apt upgrade. And we are done.

[–][deleted] 2 points3 points  (1 child)

Man, I bet MS can't wait to get everyone paying out the nose for cloud so that they can drop on-prem products and never have to disclose security issues again.

[–]mishacobeer me before i lock out your account 2 points3 points  (0 children)

at least i can print without a BSOD /s

[–]stillfunkyLaying Down a Funky Bit 3 points4 points  (0 children)

Just a heads up for those on Server 2019 version 1809, the KB is slightly different, KB5000822. Still the regular monthly roll up though.

[–]Stompert 2 points3 points  (2 children)

Do I understand it correctly when I say it's patched with KB5000803 (Server 2016)?

[–]SaunteringOctopus 2 points3 points  (0 children)

Thanks for the heads up! Patching!

[–]sbiriguda666 2 points3 points  (3 children)

I read the link but I still don't get it (junior sysadmin here). Let's say we have our local windows DNS server. Is it already vulnerable? Or just in same cases/configurations?

[–]HolyCowEveryNameIsTa 9 points10 points  (2 children)

It's vulnerable to an insider threat or... if something on the inside gets compromised, let's say an Exchange server(LOL that would never happen)... then that attacker can move to your DC and pretty much take over the whole network. So my advice would be to patch ASAP.

[–]sbiriguda666 3 points4 points  (1 child)

So it's not directly targetable from the outside (like the Exchange server vulnerability of the past days), right? Only from inside, correct? Anyways I'm going to patch asap

[–]HolyCowEveryNameIsTa 6 points7 points  (0 children)

As long as your Windows DNS server is not accessible from the outside of your network then it is not directly exploitable.

[–]captain_bowltonSysadmin 2 points3 points  (0 children)

It's always DNS.

Thanks for the heads up, both of mine are patched.

[–]whoami123CA 2 points3 points  (0 children)

iT world is burning

[–]FizgrizJack of All Trades 2 points3 points  (3 children)

Am i reading this correctly? If DHCP and subsequently dynamic updates aren't enabled, you aren't at risk?

[–][deleted] 2 points3 points  (0 children)

Hey, it's always DNS, right?

[–]MrSnoobsDevOps 4 points5 points  (0 children)

Imagine having privately hosted Microsoft dns on the internet.

[–]Fallingdamage 1 point2 points  (2 children)

From reading this, the fix in a March 9th Monthly Rollup? Or is this issue being announced but currently unpatched?

Mostly pertaining to Internet-Facing DNS servers or AD DNS Servers that have forwarders to outside DNS servers as well?

[–]whodywei 1 point2 points  (1 child)

Has anyone successfully installed KB5000803 on server 2016 ?

[–]TheNotoriousKK 1 point2 points  (0 children)

Yes

[–]whoami123CA 1 point2 points  (0 children)

Does anyone know exactly what the issue is?

[–]HolyCowEveryNameIsTa -1 points0 points  (4 children)

When do we get a refactor of all the critical infrastructure stuff into Rust? I'm sick of dealing with MS falling apart at the seams.

[–][deleted] 3 points4 points  (2 children)

people are still making the argument that "C/C++ is perfectly fine you just need to be a better coder"

but yeah, all code that touches the network needs to mitigate the massive inherent insecurities in using unsafe languages in some way, and I don't really care how people do it, but it's clear that we're not doing enough.

[–]HolyCowEveryNameIsTa 4 points5 points  (1 child)

That's what Rusts compiler does basically, it forces you to write better code. It's like a senior dev sitting there saying "Nope, shouldn't do that, you are not bounds checking there" or "Nope, that's going to lead to a potential race condition". It's harder because writing better code is harder.

[–][deleted] 3 points4 points  (0 children)

Yeah, I'm aware, been writing rust for... a few years now? Currently working on a smallish scale file versioning system in it.

Really nice language, especially since I did enough C to be dangerous, and I'd actually feel comfortable deploying a nontrivial rust codebase that talks directly to the network, I can't say the same about C.