Microsoft confirms memory leak in March Windows Server security update
ALSO: Viasat hack wiper malware is back, users are the number one cause of data loss, and critical vulns
Infosec in brief If your Windows domain controllers have been crashing since a security update was installed earlier this month, there's no longer any need to speculate why: Microsoft has admitted it introduced a memory leak in its March patches and fixed the issue.
Reports of the bug poured in across recent days as sysadmins reported Windows Server systems freezing and restarting. Microsoft has since confirmed the issue is to do with the Local Security Authority Subsystem Service process on Windows Server 2012 R2 (no longer under support), 2016, 2019 and 2022.
The issue is being triggered "when on-premises and cloud-based Active Directory Domain Controllers service Kerberos authentication requests," Microsoft noted in posts detailing known issues with its Server OS, including KB5035849, KB5035855 and KB505857.
"Extreme memory leaks may cause LSASS to crash, which triggers an unscheduled reboot of underlying domain controllers," Redmond noted, adding that the root cause has been identified and a patch will be issued in coming days.
A patch has now been delivered.
Until you install that fix, the only way to prevent a domain controller from crashing is to monitor its memory usage and keep an eye out for leaks. Of course, if you don't have the patience or staff to dedicate to such an endeavor, there is another option: uninstall the patches that introduced the issue.
As one Reddit user on r/sysadmin pointed out, the fix is relatively simple. From a command prompt run as an administrator, simply enter one of the following depending on your Windows Server version:
wusa /uninstall /kb:5035849 wusa /uninstall /kb:5035855 wusa /uninstall /kb:5035857
Home users need not worry – this is an enterprise-level server issue only.
Critical vulnerabilities: More dead Atlassian links
Atlassian leads the list this week with a CVSS 10.0 vulnerability (CVE-2024-1597) SQL injection bug in Bamboo Data Center and Server. While Atlassian has patched the issue, the matter isn't actually due to Atlassian's own code, but a "non-Atlassian Bamboo dependency."
That said, Atlassian did send out emails to customers to warn them of the issue before the links offering information about the vulnerability had gone live – a mistake we note it's made before. Someone needs some remedial email scheduling training.
Elsewhere:
- CVSS 9.9 – CVE-2023-46808: Ivanti Neurons for ITSM versions 2023.1, 2023.2 and 2023.3 are vulnerable to remote file writes in sensitive directories. Patches are available.
- CVSS 9.6 – CVE-2023-41724: All supported versions of Ivanti Standalone Sentry, and out-of-band versions as well, are vulnerable to remote code execution. Patches are available.
- CVSS 8.7 – CVE-2024-2442: Franklin Fueling System EVO 550 and 5000 tank gauges contain a path traversal vulnerability that could allow an attacker to read arbitrary files.
Wiper used in Viasat hack is back, and worse than before
Security researchers have spotted a new, more dangerous variant of AcidRain – the wiper malware used as part of the Viasat hack that led to the bricking of thousands of modems in Ukraine and elsewhere in Europe.
SentinelLabs researchers have dubbed the variant AcidPour and have linked it – like its predecessor – to Russian threat actors.
While the original AcidRain variant was designed to only target MIPS architecture used in embedded systems like the modems trashed at the onset of Russia's invasion of Ukraine, AcidPour has been extended to hit additional Linux systems. Included in this variant is capability to destroy Linux unsorted block images and device mapper logic, suggesting it may be intended to disrupt RAID arrays and large storage systems.
It's not clear if anyone has been targeted by AcidPour yet, though SentinelLabs notes the discovery of the variant coincided with the disruption of multiple Ukrainian telecom networks last week, and GRU-linked parties have claimed responsibility.
"This is a threat to watch," NSA cyber security director Rob Joyce said of the variant. "My concern is elevated because this variant is a more powerful AcidRain variant, covering more hardware and operating system types."
Only you can prevent data loss
Sure, cyber criminals can be the cause of data loss incidents, but according to Proofpoint it's far more likely you'll end up in a data loss situation because of negligent employees.
Proofpoint released its inaugural Data Loss Landscape report this week, which found that 85 percent of companies experienced some form of data loss in the past year. Of the 600 security professionals who responded to the survey, 71 percent said the main cause of their data loss was careless users.
Listed as common causes for data loss were misdirected emails, users visiting phishing sites, installation of unauthorized software and people sending sensitive data to their personal email accounts.
The greatest insider threat reportedly comes from privileged users – like HR and finance professionals, who were cited by 63 percent of respondents as their biggest risks. It's not like they're all negligent, though – Proofpoint noted that its data suggests just one percent of users were responsible for 88 percent of data loss events.
In other words, make sure you have data loss prevention measures in place, but still be sure to keep an eye on that absent-minded accountant who loves to click on suspicious links. ®