Virtual Administrator’s April Patch Recommendations
This month Microsoft released patches for 149 vulnerabilities with 3 rated “Critical” in severity.
All new patches will be approved in our patch policy. We are also releasing KB5034439/KB5034440/KB5034441 for Windows 10/11/Server 2022.
April brings a whopping 149 CVEs. This is one of the largest Patch Tuesdays on record and the largest since 2017.
The 3 critical are remote code execution (RCE) vulnerabilities in Microsoft Defender for IoT.
CVE-2024-29988 is a SmartScreen bypass vulnerability and CVE-2024-26234 is a Proxy Driver spoofing vulnerability. Both are being actively exploited.
Nearly half of this month’s patches address the Secure Boot Security Feature Bypass Vulnerability (24 CVEs) or Microsoft ODBC Driver, WDAC OLE DB Driver and OLE DB Driver for SQL Server Remote Code Execution Vulnerability (41 CVEs).
We are finally releasing KB5034439/KB5034440/KB5034441. New mitigations available for last year’s Secure Boot Security Feature Bypass vulnerability – see “Heads Up!” below. Microsoft released an Out-of-band patch on March 22 to address memory leaks on domain controllers (DCs) – see “FYI” below. New SSUs for Windows Server 2012/2016.
Disclosed: CVE-2024-26234, CVE-2024-29988
Exploited: CVE-2024-26234, CVE-2024-29988
Releasing KB5034439/KB5034440/KB5034441 for Windows 10/11/Server 2022
These patches addressed a BitLocker vulnerability and were originally released in January 2024. In response to a large number of end points failing with a generic “0x80070643 – ERROR_INSTALL_FAILURE” error message Microsoft promised a fix. To date the only relief they have provided are some PowerShell scripts to automate updating the Windows Recovery Environment (WinRE) partition. Because we no longer expect any further help from Microsoft we are releasing these patches now.
If the patch fails it will not break the machine but it will keep trying to install every time Automatic Update is scheduled.
The problem is space in the recovery partition. The BitLocker update requires 250MB of free space in the existing recovery partition. If that space is available the patch should install successfully. The patch will attempt to install even if your machine does not have BitLocker enabled. If you do not have BitLocker enabled, and the patch fails, it is safe to ignore the patch.
The vulnerability only exists if BitLocker is enabled. We have scripts in the Shared folder and on ClubMSP to check the “BitLocker Status”. If you need to ignore the failed patch click on it from the Managed Machines> Patch Status> Failed Patches column and choose “Ignore.” Another option is “Need to block a troublesome Windows Update?” here: https://blockapatch.com/ Note: If WinRE is disabled KB5034441 will be skipped as nonapplicable.
Below are some Microsoft links with guidance. A number of websites offer advice on automating the resizing of the Windows Recovery Environment (WinRE) partition. If you have a large number of machines needing resizing that may be worth pursuing.
CVE-2024-20666 | BitLocker Security Feature Bypass Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20666
KB5034957: Updating the WinRE partition on deployed devices to address security vulnerabilities in CVE-2024-20666
KB5028997: Instructions to manually resize your partition to install the WinRE update
Extend the Windows RE Partition
Heads Up! Secure Boot and BitLocker, firmware considerations
These mitigations are OFF by default.
The April cumulative update makes available additional mitigations to protect against a Secure Boot security feature bypass that uses the BlackLotus UEFI bootkit tracked by CVE-2023-24932.
CVE-2023-24932 | Secure Boot Security Feature Bypass Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-24932
Known Issues
Firmware Issues: Not all device firmware will successfully update the Secure Boot DB or DBX. In the cases that we are aware of, we have reported the issue to the device manufacturer. See KB5016061: Secure Boot DB and DBX variable update events for details on logged events. Please contact the device manufacturer for firmware updates. If the device is not in support, Microsoft recommends upgrading the device – see the KB5025885 for the firmware impacted.
BitLocker Recovery: Some devices may go into BitLocker recovery. Be sure to retain a copy of your BitLocker recovery key before enabling the mitigations.
KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932
KB5016061: Secure Boot DB and DBX variable update events
FYI – Out-of-band (OOB) Windows Server LSASS memory leaks released in late March.
KB5037422, KB5037423, KB5037425, KB5037426 are only available from the Microsoft Update Catalog. It’s unclear if the fix is included in this month’s cumulative patch but it does not list the memory leak as a known issue – so it likely is included. If you have a problem free DC without the OOB installed, we recommend installing April’s cumulative update and evaluating performance. Links for the downloads can be found in last month’s Patch Recommendations here: https://clubmsp.com/msp/patch-updates/virtual-administrators-march-patch-recommendations/
“This update addresses a known issue that affects the Local Security Authority Subsystem Service (LSASS). It might leak memory on domain controllers (DCs). This issue occurs after you install [March Cumulative Update]. The leak occurs when on-premises and cloud-based Active Directory DCs process Kerberos authentication requests. This substantial leak might cause excessive memory usage. Because of this, LSASS might stop responding, and the DCs will restart when you do not expect it.”
Windows Server 2022
March 22, 2024—KB5037422 (OS Build 20348.2342) Out-of-band
Issue with Kerberos requests on domain controllers may cause LSASS memory leaks
https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2022#3271msgdesc
Security Update Guide
https://msrc.microsoft.com/update-guide/en-us
Microsoft Security Advisories
ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:4/9/2024)
https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001
Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.
NOTE: The Windows 10 Security Stack Updates are included in the monthly Cumulative Updates.
Known Issues
Windows 10 versions 21H2/22H2 – Enterprise customers might be unable to use Microsoft Connected Cache
Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.
Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.
Windows release health
https://docs.microsoft.com/en-us/windows/release-health/
Windows devices that use the DHCP Option 235 may download updates and apps directly from the internet.
Affected platforms: Windows 10, version 21H2/22H2
Symptom: After you install KB5034203 (dated 01/23/2024) or later updates, some Windows devices that use the DHCP Option 235 to discover Microsoft Connected Cache (MCC) nodes in their network might be unable to use those nodes. Instead, these Windows devices will download updates and apps from the public internet. IT administrators also see increased download traffic on their internet routes.
Those of you who use the Home edition of Windows are not likely to experience this issue. MCC and DHCP Option 235 are typically used in enterprise environments.
Workaround: Option 1: Configure Microsoft Connected Cache endpoint in DOCacheHost policy as indicated in Cache hostname. Additionally, DOCacheHostSourcehas to be set to 1or removed as indicated in Cache hostname source. By default, the DOCacheHost and DOCacheHostSource policies have no value.
Option 2: You can mitigate this issue using Group Policies available through our support channel. Organizations can request help at Support for business.
Status: We are working on a resolution and will provide an update in an upcoming release.
Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
- KB5036960 – Windows Server 2012 R2 (ESU)
- KB5036969 – Windows Server 2012 (ESU)
Security Only Update
- None – Windows Server 2012 R2 (ESU)
- None – Windows Server 2012 (ESU)
Cumulative Updates
Windows 10
- KB5036925 – Original release version 1507 (OS Build 10240)
- KB5036899 – Version 1607 “Anniversary Update” (OS Build 14393)
- KB5036896 – Version 1809 “October 2018 Update” (OS Build 17763)
- KB5036892 – Version 21H2 “November 2021 Update” (OS Build 19044)
- KB5036892 – Version 22H2 “November 2022 Update” (OS Build 19045)
- (Versions 1511,1703,1709,1803,1903,1909,2004,20H2,21H1 are no longer under support)
Windows 11
- KB5036894 – 21H2 (OS Build 22000) Original release
- KB5036893 – 22H2 (OS Build 22621)
- KB5036893 – 23H2 (OS Build 22631)
Windows Server
- KB5036899 – Server 2016 (same KB as Windows 10 Version 1607)
- KB5036896 – Server 2019 (same KB as Windows 10 Version 1809)
- KB5036909 – Server 2022 (OS Build 20348)
- KB5036910 – Server 23H2 (OS Build 25398)
April 2024 updates for Microsoft Office
Notable CVEs
CVE-2024-20665 | BitLocker Security Feature Bypass Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20665
An attacker who successfully exploited this vulnerability could bypass Secure Boot. Successful exploitation of this vulnerability requires an attacker to compromise admin credentials on the device.
CVE-2024-20678 | Remote Procedure Call Runtime Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20678
Any authenticated user could trigger this vulnerability. It does not require admin or other elevated privileges. To exploit this vulnerability, an authenticated attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service.
CVE-2024-26221 | Windows DNS Server Remote Code Execution Vulnerability (Cumulative Update)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26221
In a network-based attack an attacker would need to have the privileges to query the Domain Name Service (DNS). If the timing of DNS queries is perfect, the attacker could execute code remotely on the target server.
CVE-2024-26234 | Proxy Driver Spoofing Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-26234
Revokes a Microsoft Windows Hardware Compatibility Publisher signature.
CVE-2024-29988 | SmartScreen Prompt Security Feature Bypass Vulnerability (Cumulative Update)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29988
To exploit this security feature bypass vulnerability, an attacker would need to convince a user to launch malicious files using a launcher application that requests that no UI be shown.