KB5013941 Cumulative Update for Windows Server 2019 – May 10 Update

5013941 is the security update for Windows Server 2019. It has been released on May 10, 2022 as part of Microsoft’s Patch Tuesday program. We look at the key aspects of the KB5013941 cumulative security update for Windows Server 2019.

KB5014692 Cumulative Update for Windows Server 2019 for June 2022.

Salient points about KB5013941 for Windows Server 2019

• KB5013941 is a cumulative security update.
• KB5013941 supersedes April month’s KB5012647 security update.
• Windows Server 2019 is affected by a zero-day vulnerability, CVE-2022-26925. This vulnerability is fixed in May month’s KB5013941 cumulative update.
• Windows Server 2019 is also affected by CVE-2022-26923, a CVSS 8.8 vulnerability that affects Active Directory Domain Services. You need to be aware of the mitigation efforts required to control this vulnerability.
• KB5013941 also includes the changes that were part of the optional preview update KB5012636. If you did not apply KB5012636 on Windows Server 2019, the KB5012636 changes will be applied as part of KB5013941.
• Prior to deploying KB5013941, you need to deploy KB5005112 Servicing Stack Update.
• The MSU update file for KB5013941 weighs 563.7 MB.
• OOB update KB5015018 for Windows Server 2019 will resolve authentication issues on domain controllers that have been patched with KB5013941. You can read more about KB5015018 below.

KB5015018 – Out of Band Update for Windows Server 2019

KB5015018 is an out of band (OOB) update released by Microsoft on 19th May 2022. It is released for Windows Server 2019. The emergency update seeks to resolve issues in authenticating to the Windows Server 2019 domain controllers after they were patched with KB5013941.

The main points about the OOB update for Windows Server 2019 are given below.

• KB5015018 is a cumulative update and supersedes KB5013941.
• If you did not patch Windows Server 2019 with KB5013941, you can skip that installation. Instead, you can directly deploy KB5015018 cumulative update on Windows Server 2019. You will still need to deploy the SSU for Windows Server 2019.
• If you have already deployed KB5013941 on Windows Server 2019, please go ahead and deploy KB5015018 as well. Only the changes that are incremental to KB5013941 will be deployed on the Windows Server 2019 as part of the KB5015018 installation.
• Since this is an OOB or emergency update, you can deploy it manually. Windows Update, WSUS or Windows Update for Business are unavailable for KB5015018.
• You can download KB5015018 for Windows Server 2019 through the Microsoft Update Catalog page here.
• The size of the MSU update file for KB5015018 for x64 based Windows Server 2019 is 563.8 MB.
• The size of the MSU update file for KB5015018 for ARM64 based Windows Server 2019 is 615.3 MB.

KB5013941 – Zero-day vulnerability on Windows Server 2019

CVE- 2022-26925 – Windows LSA Spoofing is a vulnerability that affects Windows Server 2019. It is a CVSS 8.1 vulnerability. However, it can be used with the PetitPotam vulnerability or the NTLM Relay attack vulnerability. In such cases, the vulnerability assumes a critical impact with a CVSS severity of 9.8.

In particular, domain controllers are prone to be exploited using CVE-2022-26925. The vulnerability has already been exploited. So, we know that the threat is real. KB5013941 for Windows Server 2019 applies a fix against this security vulnerability. Here are the brief details of CVE-2022-26925 security vulnerability.

• An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows them.
• NTLM relay attacks on the domain controllers could be used in conjunction with CVE-2022-26925. You must take mitigation steps mentioned in the security update KB5005413 to enable Extended Protection for Authentication on the domain controllers, including the domain controllers based on Windows Server 2019. The NTLM relay attacks are part of the PetiiPotam vulnerability on the Windows servers and domain controllers.
• Since this is a man-in-the-middle (MITM) attack, the attack complexity is complex and it is rated as AC: H.

Please apply the patch for 5013941 on your Windows Server 2019 domain controllers on an immediate basis.

It would be pertinent to mention over here that Microsoft released a list of 75 vulnerabilities as part of May month’s Patch Tuesday updates. Some of these do affect Windows Server 2019. To keep things simple, we have shared the zero-day vulnerabilities. This should allow you to target immediate threats to Windows Server 2019 deployments in your infrastructure.

CVE-2022-26923 – Active Directory Domain Services Vulnerability – Elevation of Privileges

Windows Server 2019 is impacted by the Active Directory Domain Services vulnerability CVE-2022-26923 that could cause elevation of privileges (seriously damaging). It is a CVSS 8.8 critical vulnerability and is more likely to be exploited. As of now, it is not publicly exploited. As part of the vulnerability, an authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege.

There is no resolution available as of now. The only mitigating step that you can undertake is to disable Active Directory Certificate Service on the domain. Since this may not be possible for all, we await a permanent resolution of the vulnerability.

KB5012647 is the Windows 2019 security update for April 2022. You can check that out on this page.

Prerequisites for installing KB5013941 on Windows Server 2019

Servicing Stack Update KB5005112 needs to be on Windows Server 2019 before KB5013941 is deployed. KB5005112 was released in August 2021. If you have successfully and automatically deployed any cumulative update after August 2021, you would have been presented with the SSU KB5005112 as part of the update process.

If you deploy updates manually, there is a high chance that you have already deployed the SSU KB5005112 on Windows Server 2019. If you have not deployed KB5005112 on Windows Server 2019, please download it from the Microsoft Update catalog. You could deploy it manually.

• The size of the SSU KB5005112 for Windows Server 2019 is 13.8 MB.
• Once KB5005112 is deployed, you could deploy KB5013941 on the Windows Server 2019.

How can I install KB5013941 on Windows Server 2019?

KB5013941 can be applied manually or automatically. It is available through all normal channels of Windows Update process. We review the various methods by which you can install KB5013941 on Windows Server 2019.

• KB5013941 can be deployed manually. You can download the MSU update file from the Microsoft Update Catalog for Windows Server 2019 on this page.
• The MSU update file for KB5013941 for Windows Server 2019 is 563.7 MB.
• Prior to installing KB5013941, do ensure that you have already deployed KB5005112 Servicing Stack Update. You can check the Update History to validate the deployment of KB5013941.
• Windows Update process can be used to automatically deploy KB5013941 on Windows Server 2019. SSU KB5005112 will be automatically offered to you as part of installation process of KB5013941.
• KB5013941 can also be applied automatically using the Microsoft Update for Business.
• WSUS or the Windows Server Update Service can be used to automatically import and deploy the cumulative security update KB5013941 for Windows Server 2019.

You need to be aware the the server may restart during the update process. The update file is over 500 MB in size. Please plan for the update as part of the change management ticket.

.NET Framework Update – Windows Server 2019

January updates broke the Active Directory Forest trust relationships and information. The issue happened on account of the underlying .NET framework. .NET patches have been released by Microsoft to resolve the issue.

• .NET Framework 4.7.2 can be patched with KB5011259 update file. It can be downloaded from the Microsoft Update Catalog page here. The update file is available for x64 and ARM64 processors.
• .NET Framework 4.8 can be patched with KB501257 update file. It can be downloaded from the Microsoft Update catalog page here. The update file is available for x64 architecture.

Summary

KB5013941 for Windows Server 2019 is significant in respect of the zero-day threat CVE-2022-26925. Installing the SSU KB5005112 is required prior to installing KB5013941. This update is cumulative in nature and contains all the changes that were part of the optional update KB5012636 for Windows Server 2019.

You can also read about other Windows Updates from Microsoft:

• KB5013952 security update for Windows Server 2016