Wednesday, December 18, 2024
HomeWindowsRecent Windows Server Updates Trigger Domain Controller Reboots & Crash

Recent Windows Server Updates Trigger Domain Controller Reboots & Crash

Published on

SIEM as a Service

Recent updates for Windows Server have been linked to significant disruptions in IT infrastructure, with numerous reports of domain controllers experiencing crashes and forced reboots.

The issues have been traced back to the March 2024 cumulative updates for Windows Server 2016 and Windows Server 2022, explicitly KB5035855 and KB5035857.

Impact on Domain Controllers

The core of the problem lies in a memory leak within the Local Security Authority Subsystem Service (LSASS), a critical component of the Windows operating system responsible for enforcing security policies and managing user logins, access token creation, and password changes.

- Advertisement - SIEM as a Service

The LSASS process is essential for the stable operation of domain controllers, which are pivotal in managing network security and user authentication within an organization’s IT environment.

Administrators have observed that domain controllers exhibit steadily increasing LSASS memory usage after installing the March updates.

This escalation in resource consumption eventually leads to the system becoming unresponsive, culminating in crashes and automatic reboots.

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, that helps you to quantify risk accurately:

Such behavior disrupts normal business operations and poses a risk to network security and data integrity.

Causes of Crashes and Reboots

The LSASS memory leak introduced by the updates is the direct cause of the crashes and reboots.

Memory leaks occur when a program incorrectly manages memory allocations, reducing performance and system stability as the available memory is gradually exhausted.

In the case of domain controllers, the LSASS process’s memory leak leads to an unsustainable load on the system, forcing a crash as a last resort to recover from the failure.

Affected Windows Server Versions

The reported issues specifically affect Windows Server 2016 and Windows Server 2022.

These versions are widely used in enterprise environments, meaning the impact of the problem is potentially vast, affecting organizations globally.

This is not the first time LSASS-related issues have been reported after Windows Server updates—previous incidents were recorded in December 2022 and March 2022—which raises concerns about the recurring nature of such critical vulnerabilities.

User Reactions and Comments

The sysadmin community has been vocal about the disruptions, with many taking to online forums such as Reddit to share their experiences and seek advice. Comments range from frustration over the repeated nature of these issues to concerns about the lack of immediate solutions or workarounds.

Some users have reported rolling back the updates as a temporary fix, while others are waiting for Microsoft’s official response or patch.

A particular comment on the Microsoft Tech Community Exchange Team Blog highlights the severity of the issue, with one user stating, “This is a disaster. We’ve had to roll back the updates on all our DCs to prevent the entire network from going down.”

LSASS Process Memory Leak

The LSASS process memory leak is not new, but its recurrence is troubling for Microsoft and its user base.

The memory leak leads to a gradual increase in memory usage by the LSASS process until the system can no longer function properly. This type of issue requires prompt attention and resolution to maintain the security and stability of affected systems.

Microsoft has not released an official statement or solution regarding the March 2024 updates and the resulting domain controller crashes.

This situation underscores the importance of thorough testing and quality assurance in software updates, mainly when they affect critical components of enterprise IT infrastructure.

As the situation develops, system administrators are advised to monitor official channels for updates and consider holding off on applying the problematic updates until a fix is confirmed.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing...

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase...

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT,"...

Earth Koshchei Employs RDP Relay, Rogue RDP server in Server Attacks

 A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Windows RDP Service Flaw let Hackers Execute Remote Code

A critical security vulnerability (CVE-2024-49115) in Windows Remote Desktop Services (RDS) has been disclosed,...

Microsoft Patch Tuesday December 2024, 71 Vulnerabilities Fixed Including 1 Zero-day

In its final Patch Tuesday of 2024, Microsoft has released a significant security update...

Qlik Sense for Windows Vulnerability Allows Remote Code Execution

Qlik has identified critical vulnerabilities in its Qlik Sense Enterprise for Windows software that...