Microsoft Releases Out-of-band Update to Fix Windows Server Memory Leak Flaw

Microsoft released an out-of-band update, KB5037422, on March 22, 2024, specifically for Windows Server 2022 (OS Build 20348.2342) to address a critical memory leak issue in the Local Security Authority Subsystem Service (LSASS). 

The leak occurred on domain controllers (DCs) after installing the March 2024 security updates (KB5035857) and impacted both on-premises and cloud-based Active Directory DCs during Kerberos authentication requests. 

Excessive memory usage could lead to LSASS crashing and unexpected DC restarts, while the update addresses the LSASS memory leak and improves the overall servicing stack functionality for future Windows updates. 

Out-of-band Update

The memory leak vulnerability manifested after installing the KB5035857 update, which was released on March 12, 2024, as the flaw was triggered when DCs processed Kerberos authentication requests, leading to a substantial memory leak. 

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities. :

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, which helps you to quantify risk accurately:

The excessive memory consumption could cause LSASS to crash, resulting in unexpected domain controller reboots, while the update specifically targets and resolves the critical LSASS memory leak issue. 

It’s essential to apply this update to DCs, especially those that haven’t yet uninstalled the vulnerable KB5035857 update, to prevent potential crashes and subsequent downtime on your domain network.

Microsoft released a servicing stack update (SSU) for Windows Server 2022, KB5035857 (OS Build 20348.2334), which specifically targets the servicing stack component, a critical system function responsible for the deployment of Windows updates. 

Windows Server Racks

By implementing quality improvements to the servicing stack, this SSU enhances its reliability and robustness. Consequently, devices receiving this update will benefit from a more efficient and reliable process for acquiring and installing future Windows updates. 

The improvement is particularly significant for maintaining a healthy and up-to-date Windows Server environment, as timely updates are essential for addressing security vulnerabilities, bug fixes, and new feature implementations.

The update delivers the latest cumulative update (LCU) bundled with the latest servicing stack update (SSU) for Windows 10, improving the reliability of the update process.  

While Microsoft isn’t aware of any issues, the update isn’t available through Windows Update or Windows Update for Business.

Instead, it needed to download from the Microsoft Update Catalog website or leverage Windows Server Update Services (WSUS) for deployment. 

If it is required to remove the LCU after installation, the DISM tool with the LCU package name can be used, but be aware that this won’t remove the SSU.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Zohocorp ManageEngine ADAudit Plus SQL Injection Vulnerability

Zohocorp, the company behind ManageEngine, has released a security update addressing a critical SQL injection…

2 hours ago

Citrix Virtual Apps & Desktops Zero-Day Vulnerability Exploited in the Wild

A critical new vulnerability has been discovered in Citrix’s Virtual Apps and Desktops solution, which…

3 hours ago

Sonatype Nexus Repository Manager Hit by RCE & XSS Vulnerability

Sonatype, the company behind the popular Nexus Repository Manager, has issued security advisories addressing two…

5 hours ago

GeoVision 0-Day Vulnerability Exploited in the Wild

Cybersecurity researchers have detected the active exploitation of a zero-day vulnerability in GeoVision devices, which…

6 hours ago

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious actors…

3 days ago

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers…

3 days ago