Microsoft has expedited the release of out-of-band (OOB) security updates to address a critical memory leak vulnerability affecting some versions of Windows Server domain controllers. The updates were released to patch an issue related to the Local Security Authority Subsystem Service (LSASS) when servicing Kerberos authentication requests.
The vulnerability causes a memory leak in LSASS on domain controllers when handling Kerberos authentication requests from on-premises Active Directory domains as well as cloud-based Azure Active Directory. Left unpatched, the memory leak could lead to domain controller degradation or failure over time as memory usage builds up.
"We identified this issue in the LSASS component and recognized the need to push out a fix as quickly as possible to protect customers running domain controllers on affected Windows Server versions," said Aria Carricarte, Partner Director of the Microsoft Security Response Center. "These out-of-band updates were expedited to get the patch in the hands of IT admins before the start of the new work week."
The out-of-band updates are cumulative, so no prior updates need to be installed first. They supersede any previous cumulative updates released for the affected operating systems.
Patches are available now for Windows Server 2022, Windows Server 2016, and Windows Server 2012 R2 on the Microsoft Update Catalog. An update for Windows Server 2019 is expected to follow soon.
𝐇𝐨𝐦𝐞 𝐮𝐬𝐞𝐫𝐬 𝐚𝐫𝐞 𝐧𝐨𝐭 𝐢𝐦𝐩𝐚𝐜𝐭𝐞𝐝
Out-of-band (OOB) updates were released for some versions of Windows, as Home users and non-enterprise customers are not impacted by this issue, as domain controllers are primarily used in corporate networks and data centres for centralized user authentication and management of Windows client/server infrastructure.
Microsoft is urging all IT administrators to review the below Knowledge Base articles and deploy the applicable out-of-band updates as soon as possible on their domain controllers, especially if the March 2024 monthly rollup has not yet been installed.
- Windows Server 2022: KB5037422
- Windows Server 2019: Available soon
- Windows Server 2016: KB5037423
- Windows Server 2012 R2: KB5037426
The OOB updates and their associated guidance can be found at the URLs listed above. If your organization uses the affected server platforms as DCs and you haven't deployed the March 2024 security update yet, Microsoft recommends you to apply this OOB update instead.