Microsoft Releases Out-of-band Update to Fix Windows Server Memory Leak Flaw

Microsoft released an out-of-band update, KB5037422, on March 22, 2024, specifically for Windows Server 2022 (OS Build 20348.2342) to address a critical memory leak issue in the Local Security Authority Subsystem Service (LSASS). 

The leak occurred on domain controllers (DCs) after installing the March 2024 security updates (KB5035857) and impacted both on-premises and cloud-based Active Directory DCs during Kerberos authentication requests. 

Excessive memory usage could lead to LSASS crashing and unexpected DC restarts, while the update addresses the LSASS memory leak and improves the overall servicing stack functionality for future Windows updates. 

Out-of-band Update

The memory leak vulnerability manifested after installing the KB5035857 update, which was released on March 12, 2024, as the flaw was triggered when DCs processed Kerberos authentication requests, leading to a substantial memory leak. 

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, which helps you to quantify risk accurately:

The excessive memory consumption could cause LSASS to crash, resulting in unexpected domain controller reboots, while the update specifically targets and resolves the critical LSASS memory leak issue. 

It’s essential to apply this update to DCs, especially those that haven’t yet uninstalled the vulnerable KB5035857 update, to prevent potential crashes and subsequent downtime on your domain network.

Microsoft released a servicing stack update (SSU) for Windows Server 2022, KB5035857 (OS Build 20348.2334), which specifically targets the servicing stack component, a critical system function responsible for the deployment of Windows updates. 

Windows Server Racks

By implementing quality improvements to the servicing stack, this SSU enhances its reliability and robustness. Consequently, devices receiving this update will benefit from a more efficient and reliable process for acquiring and installing future Windows updates. 

The improvement is particularly significant for maintaining a healthy and up-to-date Windows Server environment, as timely updates are essential for addressing security vulnerabilities, bug fixes, and new feature implementations.

The update delivers the latest cumulative update (LCU) bundled with the latest servicing stack update (SSU) for Windows 10, improving the reliability of the update process.  

While Microsoft isn’t aware of any issues, the update isn’t available through Windows Update or Windows Update for Business.

Instead, it needed to download from the Microsoft Update Catalog website or leverage Windows Server Update Services (WSUS) for deployment. 

If it is required to remove the LCU after installation, the DISM tool with the LCU package name can be used, but be aware that this won’t remove the SSU.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Lumma Stealer Attacking Users To Steal Login Credentials From Browsers

Researchers observed Lumma Stealer activity across multiple online samples, including PowerShell scripts and a disguised…

20 hours ago

New ‘OtterCookie’ Malware Attacking Software Developers Via Fake Job Offers

Palo Alto Networks reported the Contagious Interview campaign in November 2023, a financially motivated attack…

20 hours ago

NjRat 2.3D Pro Edition Shared on GitHub: A Growing Cybersecurity Concern

The recent discovery of the NjRat 2.3D Professional Edition on GitHub has raised alarms in…

20 hours ago

Palo Alto Networks Vulnerability Puts Firewalls at Risk of DoS Attacks

A critical vulnerability, CVE-2024-3393, has been identified in the DNS Security feature of Palo Alto…

20 hours ago

Araneida Scanner – Hackers Using Cracked Version Of Acunetix Vulnerability Scanner

Threat Analysts have reported alarming findings about the "Araneida Scanner," a malicious tool allegedly based…

2 days ago

A Dark Web Operation Acquiring KYC Details TO Bypass Identity Verification Systems

A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…

2 days ago