Secure your WSUS environment with HTTPS for future updates.
This week Microsoft announced that the installation of this month’s (Sept 2020) security updates will stop future software updates from arriving if organizations using its Windows Server Update Services (WSUS) solution for patch management are connecting using the HTTP protocol rather than HTTPS.
WSUS is configured to deploy updates using HTTP, but this default deployment can be compromised via a Man-In-The-Middle (MITM) attack. To mitigate the vulnerability, WSUS administrators are advised to force the use of HTTPS, which adds encryption to client and web server connections, to deploy software updates.
IT staff will need to ensure that the following actions are taken before the next Patch Tuesday (October 13), according to Microsoft:
– Secure your WSUS environment with TLS/SSL protocol (configure servers with HTTPS).
– Set up system-based proxy for detecting updates if needed.
– Enable the “Allow user proxy to be used as a fallback if detection using system proxy fails” policy.
The announcement warned that “if none of these actions are taken your devices will stop successfully scanning for software updates after the September 2020 security update.”
UW SSL certificates for this purpose are available for no fee from Identity & Access Management in the UW-IT Service Catalog.
Microsoft blog
GoSecure blog
https://www.gosecure.net/blog/2020/09/03/wsus-attacks-part-1-introducing-pywsus/