Virtual Administrator’s March Patch Recommendations

Patch Recommendations

This month Microsoft released patches for 59 vulnerabilities with 2 rated “Critical” in severity.

IMPORTANT UPDATE:

Microsoft released an Out-of-band patch for Server 2012/2016/2019/2022 to address memory leaks on domain controllers (DCs).

The patch is only available from the Microsoft Update Catalog (MUC) and needs to be downloaded and installed manually. The links are below.

This “update addresses a known issue that affects the Local Security Authority Subsystem Service (LSASS). It might leak memory on domain controllers (DCs). This issue occurs after you install” the March Cumulative Update. “The leak occurs when on-premises and cloud-based Active Directory DCs process Kerberos authentication requests. This substantial leak might cause excessive memory usage. Because of this, LSASS might stop responding, and the DCs will restart when you do not expect it.”

KB5037426 OOB replacing KB5035885 – Windows Server 2012 R2 (ESU)
MUC: https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/updt/2024/03/windows8.1-kb5037426-x64_9120fca5c7b98406fdb5df9629dc05c3757b1dee.msu
KB5037426: Update to address a known issue that affects LSASS in Windows Server 2012 R2
https://support.microsoft.com/en-us/topic/kb5037426-update-to-address-a-known-issue-that-affects-lsass-in-windows-server-2012-r2-eda1002a-4b4d-4c99-8383-b0e2bab5c1d0

KB5037423 OOB replacing KB5035855 – Server 2016 (same KB as Windows 10 Version 1607)
MUC: https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/updt/2024/03/windows10.0-kb5037423-x64_1032bb3554d40ec5df5f9c08b8f1078905fb5157.msu
March 22, 2024—KB5037423 (OS Build 14393.6799) Out-of-band
https://support.microsoft.com/en-us/topic/march-22-2024-kb5037423-os-build-14393-6799-out-of-band-1775cda2-4bb6-43a9-9fd4-ddc3528d3408

KB5037425 OOB replacing KB5035849 – Server 2019 (same KB as Windows 10 Version 1809)
MUC: https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/updt/2024/03/windows10.0-kb5037425-x64_41cda5553d76768e7bbf158dcf40690fe25cd870.msu
March 25, 2024—KB5037425 (OS Build 17763.5579) Out-of-band
https://support.microsoft.com/en-us/topic/march-25-2024-kb5037425-os-build-17763-5579-out-of-band-fa8fb7fa-8185-408f-bdd6-ea575ce2fcb5

KB5037422 OOB replacing KB5035857 – Server 2022 (OS Build 20348)
MUC: https://catalog.s.download.windowsupdate.com/d/msdownload/update/software/updt/2024/03/windows10.0-kb5037422-x64_22f9c64db01978f109c6336a4ece8d381f07f75d.msu
March 22, 2024—KB5037422 (OS Build 20348.2342) Out-of-band
https://support.microsoft.com/en-us/topic/march-22-2024-kb5037422-os-build-20348-2342-out-of-band-e8f5bf56-c7cb-4051-bd5c-cc35963b18f3

 

—————————————————————————————————————————————————

All new patches will be approved in our patch policy. (Still deferring KB5034439/KB5034440/KB5034441 for Windows 10/11/Server 2022.)

Fewer patches this month and so far none are publicly known or under active attack. The only critical vulnerabilities (CVE-2024-21407/CVE-2024-21408) are for Windows Hyper-V. These are a Remote Code Execution and a Denial of Service flaws.

Another Remote Code Execution Vulnerability exists in Microsoft Exchange Server 2016/2019 (CVE-2024-26198) and Open Management Infrastructure (CVE-2024-21334).

There are a few known issues with the Exchange patches detailed below.  Also additional steps may be necessary for the Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability (CVE-2024-21400).  New SSUs for Windows Server 2012/2016.

 

Disclosed: None

Exploited: None

 

Deferring KB5034439/KB5034440/KB5034441 – No fix yet from Microsoft.

Please read details on Microsoft’s recommendations to mitigate the failures. Keep in mind exploiting this vulnerability requires physical access to the machine. If the installation fails it will cause no other issues. It will simply keep showing up as a missing patch.

Windows Recovery Environment servicing failed (KB5034439/KB5034441/KB5034440)

https://support.microsoft.com/en-us/topic/kb5034441-windows-recovery-environment-update-for-windows-10-version-21h2-and-22h2-january-9-2024-62c04204-aaa5-4fee-a02a-2fdea17075a8

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-20666

Affected platforms: Windows 10/11/Server 2022

Symptom: Some computers might not have a recovery partition that is large enough to complete this update. Because of this, the update for WinRE might fail.

Workaround: Resize your partition to install the WinRE update.

 

How to push out a specific patch in Kaseya

  • Go to Patch Management> Manage Updates> Patch Update
  • Uncheck “Hide machines set for  Automatic Update” and “Hide patches denied by  Patch Approval”
  • Find patch by KB and click “Machines” then “Schedule” the install.

 

Heads Up! KB5035849 fails to install

A number of reports the cumulative update KB5035849 fails to install on Windows 10 and Windows Server systems with 0xd0000034 errors.  These seem to only occur when checking for updates via Windows Update.  KB5035849 will install if downloaded from Microsoft’s Update Catalog. Kaseya users should not see this problem as Kaseya installs the patch “manually”.

 

FYI – Bug in last month’s Windows 11 22H2/23H2 CU (KB5034765) fixed with latest CU KB5035853

Windows 11 devices attempting to install the February 2024 security update, released February 13, 2024 (KB5034765), might face issues during the update process. The installation might fail when the update’s download reaches 96% of completion, and the device might roll back to the previous update installed.

Resulting from this error, the following message might be displayed:

“Something didn’t go as planned. No need to worry – undoing changes. Please keep your computer on”.

This issue might be reflected in the Windows Event Viewer with error code ‘0x800F0922’.

 

Security Update Guide

https://msrc.microsoft.com/update-guide/en-us

 

Microsoft Security Advisories

ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:3/12/2024)

https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001

Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.

NOTE: The Windows 10 Security Stack Updates are included in the monthly Cumulative Updates.

 

Known Issues

A few problems with updates for Exchange Server 2016/2019.

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

 

Good resource for known issues with Windows 10/11 patches. Find the version and click on “Known issues”.

Windows release health

https://docs.microsoft.com/en-us/windows/release-health/

 

Exchange Server 2016/2019 Update

Description of Security Update 1 for Exchange Server 2019: March 12, 2024 (KB5036401)

https://support.microsoft.com/en-us/topic/description-of-security-update-1-for-exchange-server-2019-march-12-2024-kb5036401-9160baeb-6306-4384-a5c9-94b0a18cba8e

Description of Security Update 5 for Exchange Server 2019: March 12, 2024 (KB5036402)

https://support.microsoft.com/en-us/topic/description-of-security-update-5-for-exchange-server-2019-march-12-2024-kb5036402-bb2750a8-f738-4776-85d1-d11bf4cf5b74

Description of Security Update 12 for Exchange Server 2016: March 12, 2024 (KB5036386)

https://support.microsoft.com/en-us/topic/description-of-security-update-12-for-exchange-server-2016-march-12-2024-kb5036386-60a770fb-88da-4e46-b51c-1448dd8f8d1d

Known issues in this security update

After you install this security update (SU), the program no longer supports the Oracle Outside In Technology (OIT) or OutsideInModule. OIT performs text extraction operations when you process email messages that have attachments. For more information, see The OutsideInModule module is disabled after installing the March 2024 SU (https://support.microsoft.com/topic/5037191).

After you install this security update (SU), Download Domains are no longer working as expected. For more information, see Download domains not working after installing the March 2024 SU (https://support.microsoft.com/topic/5037171).

After you install this security update (SU), OwaDeepTestProbe and EacBackEndLogonProbe are no longer working. For more information, see OwaDeepTestProbe and EacBackEndLogonProbe fail after installing March 2024 SU (https://support.microsoft.com/topic/5037172).

 

Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

  • KB5035885 – Windows Server 2012 R2 (ESU)
  • KB5035930 – Windows Server 2012 (ESU)

 

Security Only Update

  • None – Windows Server 2012 R2 (ESU)
  • None – Windows Server 2012 (ESU)

 

Cumulative Updates

Windows 10

  • KB5035858 – Original release version 1507 (OS Build 10240)
  • KB5035855 – Version 1607 “Anniversary Update” (OS Build 14393)
  • KB5035849 – Version 1809 “October 2018 Update” (OS Build 17763)
  • KB5035845 – Version 21H2 “November 2021 Update” (OS Build 19044)
  • KB5035845 – Version 22H2 “November 2022 Update” (OS Build 19045)
  • (Versions 1511,1703,1709,1803,1903,1909,2004,20H2,21H1 are no longer under support)

 

Windows 11

  • KB5035854 – 21H2 (OS Build 22000) Original release
  • KB5035853 – 22H2 (OS Build 22621)
  • KB5035853 – 23H2 (OS Build 22631)

 

Windows Server

  • KB5035855 – Server 2016 (same KB as Windows 10 Version 1607)
  • KB5035849 – Server 2019 (same KB as Windows 10 Version 1809)
  • KB5035857 – Server 2022 (OS Build 20348)

 

March 2024 updates for Microsoft Office

https://support.microsoft.com/en-us/topic/march-2024-updates-for-microsoft-office-d85bade8-44b4-4d80-900d-f1fd3fcc5e6b

 

Notable CVEs

 

CVE-2024-21400 – Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-21400

Successful exploitation of this vulnerability requires an attacker to prepare the target environment to improve exploit reliability.

 

CVE-2024-21407 | Windows Hyper-V Remote Code Execution Vulnerability   (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-21407

This vulnerability would require an authenticated attacker on a guest VM to send specially crafted file operation requests on the VM to hardware resources on the VM which could result in remote code execution on the host server. Successful exploitation of this vulnerability requires an attacker to gather information specific to the environment and take additional actions prior to exploitation to prepare the target environment.

 

CVE-2024-21408 | Windows Hyper-V Denial of Service Vulnerability (Cumulative Update)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21408

Successful exploitation of this vulnerability allows an attacker to target a Hyper-V guest virtual machine, which can affect the functionality of the Hyper-V host.

 

CVE-2024-21426 | Microsoft SharePoint Server Remote Code Execution Vulnerability (KB5002559,KB5002562,KB5002564)

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-21426

An attacker must send the user a malicious file and convince them to open it. An attacker who successfully exploits this vulnerability could perform a remote attack that could enable access to the victim’s information and the ability to alter information. Successful exploitation could also potentially cause downtime for the targeted environment.

 

CVE-2024-21433 | Windows Print Spooler Elevation of Privilege Vulnerability  (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-21433

Successful exploitation of this vulnerability requires an attacker to win a race condition. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

 

CVE-2024-21334 | Open Management Infrastructure (OMI) Remote Code Execution Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21334

A remote unauthenticated attacker could access the OMI instance from the Internet and send specially crafted requests to trigger a use-after-free vulnerability. Customers running affected versions of SCOM (System Center Operations Manager) should update to OMI version 1.8.1-0.

 

CVE-2024-26198 | Microsoft Exchange Server Remote Code Execution Vulnerability (KB5036386,KB5036401,KB5036402)

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-26198

This attack requires a specially crafted file to be placed either in an online directory or in a local network location. When a victim runs this file, it loads the malicious DLL. An unauthenticated attacker could exploit the vulnerability by placing a specially crafted file onto an online directory or in a local network location then convincing the user to open it. In a successful attack, this will then load a malicious DLL which could lead to a remote code execution.