On-premises Identity updates & fixes for September 2019

Windows Server

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for September 2019:

 

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4516044 September 10, 2019

The September 10, 2019 update for Windows Server 2016 (KB4516044) updating the OS Build number to 14393.3204 is a security update, including many security updates.

This update addresses CVE-2019-1273. This is an Important Active Directory Federation Services XSS Vulnerability.

A cross-site-scripting (XSS) vulnerability exists when Active Directory Federation Services (AD FS) does not properly sanitize certain error messages. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected AD FS server. An attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run scripts in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim’s identity to take actions on the AD FS farm on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.

The security update addresses the vulnerability by helping to ensure that AD FS error handling properly sanitizes error messages.

KB4522010 September 23, 2019

The September 23, 2019 update for Windows Server 2016 (KB4522010) updating the OS Build number to 14393.3206 does not include Identity-related updates. It includes security updates to Internet Explorer, released out-of-band.

KB4516061 September 24, 2019

The September 24, 2019 update for Windows Server 2016 (KB4516061) updating the OS Build number to 14393.3242 includes the following Identity-related updates:

  • It addresses an issue that may cause authentication to fail for certificate-based authentication when the certificate authentication includes a cname as part of the pre-authentication request.
  • It addresses an issue that may cause the Local Security Authority Subsystem Service (LSASS) to stop working with an “0xc0000005” error.
  • It addresses an issue that causes the Security Authority Subsystem Service (LSASS) to stop working, which causes the system to shut down. This occurs when migrating Data Protection API (DPAPI) credentials using dpapimig.exe with the domain option.
  • It addresses an issue with LdapPermissiveModify requests, which fail to make Active Directory (AD) group membership changes if the Lightweight Directory Access Protocol (LDAP) client uses the Security Identifier (SID) syntax. In this scenario, Active Directory returns a “SUCCESS” status even though the change did not occur.

 

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4512578 September 10, 2019

The September 10, 2019 update for Windows Server 2016 (KB4512578) updating the OS Build number to 17763.737 is a security update, including many security updates.

This update addresses CVE-2019-1273. This is an Important Active Directory Federation Services XSS Vulnerability.

A cross-site-scripting (XSS) vulnerability exists when Active Directory Federation Services (AD FS) does not properly sanitize certain error messages. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected AD FS server. An attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run scripts in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim’s identity to take actions on the AD FS farm on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.

The security update addresses the vulnerability by helping to ensure that AD FS error handling properly sanitizes error messages.

KB4522015 September 23, 2019

The September 23, 2019 update for Windows Server 2016 (KB4522015) updating the OS Build number to 17763.740 does not include Identity-related updates. It includes security updates to Internet Explorer, released out-of-band.

KB4516077 September 24, 2019

The September 24, 2019 update for Windows Server 2016 (KB4516077) updating the OS Build number to 17763.774 includes the following Identity-related updates:

  • It addresses an issue that may cause the Local Security Authority Subsystem Service (LSASS) to stop working with an “0xc0000005” error.
  • It addresses an issue that causes the lsass.exe service to stop working, which causes the system to shut down. This occurs when migrating Data Protection API (DPAPI) credentials using dpapimig.exe with the -domain option.
  • It addresses an issue that prevents you from running the Active Directory Diagnostics Data Collector Set from the Performance Monitor for Domain Controllers. This causes the Data Collector Set name to appear empty. Running the Active Directory Diagnostics Data Collector Set returns the error, “The system cannot find the file specified.” Event ID 1023 is logged with the source as Perflib and the following messages:
    • Windows cannot load the extensible counter DLL “C:\Windows\system32\ntdsperf.dll.
    • The specified module could not be found.
  • It addresses an issue that may cause authentication to fail for certificate-based authentication when the certificate authentication includes a cname as part of the pre-authentication request.
  • It addresses a Lightweight Directory Access Protocol (LDAP) runtime issue for Domain Controller Locator-style LDAP requests. The error is, “Error retrieving RootDSE attributes, data 8, v4563.”
  • It addresses an issue that causes LDAP queries that contain LDAP_MATCHING_RULE_IN_CHAIN (memberof:1.2.840.113556.1.4.1941) to intermittently fail on Windows Server 2019 domain controllers. However, these queries do not fail on domain controllers running previous versions of Windows Server.
  • It addresses an issue that causes group membership changes in Active Directory groups to fail. This occurs if the Lightweight Directory Access Protocol (LDAP) client uses the Security Identifier (sID) Distinguished Name (DN) syntax after installing previous versions of NTDSAI.DLL. In this scenario, an issue with the LdapPermissiveModify (LDAP_SERVER_PERMISSIVE_MODIFY_OID) control causes Active Directory to incorrectly return a SUCCESS status even though the group membership change did not occur.
  • It addresses an issue in which the Set-AdfsSslCertificate script is successful. However, it throws an exception during resource cleanup because the target server-side endpoint is no longer there.

This update includes so many improvements, that Joseph Ryan Ries, Escalation Engineer at Microsoft Corp., claims that Windows Server 2019 Domain Controllers are now ready for production…

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.