Microsoft rushes emergency updates to address Windows Server crashes

Problems caused by latest Patch Tuesday update

Microsoft rushes emergency updates to address memory issue causing Windows Server crashes

Image:
Microsoft rushes emergency updates to address memory issue causing Windows Server crashes

Microsoft has rolled out emergency out-of-band (OOB) security updates to address a critical memory leak issue affecting select versions of Windows Server domain controllers (DCs), causing servers to freeze and restart.

The emergency updates follow numerous warnings from system administrators over the past week, who reported that their servers were freezing and restarting unexpectedly since installation of the updates released by Microsoft earlier this month.

One system admin told Bleeping Computer that following the installation of the March updates, encompassing both Exchange and standard Windows Server updates, a majority of their DCs exhibited a continuous rise in local security authority subsystem service (LSASS) memory usage until eventual system crash.

Another admin said: "Our symptoms were ballooning memory usage on the lsass.exe process after installing KB5035855 (Server 2016) and KB5035857 (Server 2022) to the point that all physical and virtual memory was consumed and the machine hung."

Microsoft officially acknowledged the issue, stating that it affected all DC servers with the latest Windows Server 2012 R2, 2016, 2019, and 2022 updates.

The company said only enterprise systems using the affected Windows Server platform need apply the updates; home users remain unaffected.

According to Microsoft, the problem arise following the installation of the security update (KB5035857), released on 12 March 2024.

The company said the LSASS process may experience a memory leak when on-premises and cloud-based Active Directory DCs process Kerberos authentication requests, which could ultimately lead to crashes and unscheduled reboots.

"We identified this issue in the LSASS component and recognised the need to push out a fix as quickly as possible to protect customers running domain controllers on affected Windows Server versions," said Aria Carricarte, partner director of the Microsoft Security Response Center.

"These out-of-band updates were expedited to get the patch in the hands of IT admins before the start of the new work week."

The newly released out-of-band updates are cumulative, and supersede any previous cumulative updates rolled out for the impacted operating systems.

Currently, patches are accessible for Windows Server 2022 (KB5037422), Windows Server 2016 (KB5037423), and Windows Server 2012 R2 (KB5037426) via the Microsoft Update Catalog. An update for Windows Server 2019 is anticipated shortly.

Microsoft urges all IT admins to promptly review the provided Knowledge Base articles and deploy the relevant out-of-band updates on their domain controllers.

"If your organisation uses the affected server platforms as DCs and you haven't deployed the March 2024 security updated yet, we recommend you apply this OOB update instead."

The incident isn't the first time Microsoft has grappled with LSASS-related issues.

In December 2022, Microsoft addressed another instance of an LSASS memory leak impacting DCs. Following the installation of Windows Server updates released during November 2022's Patch Tuesday, affected servers experienced freezing and subsequent restarts.

A similar issue was resolved by the company in March 2022.