KB5026362 is the latest ‘Patch Tuesday’ update for Windows Server 2019 and Windows Server Core Installation 2019. The update was released on 9th May 2023.
KB5026362 has been superseded by KB5027222. KB5027222 was released on 13th June 2023. You can read more about it on this page.
Salient points about KB5026362
- KB5026362 is a cumulative update and supersedes KB5025229 cumulative update. KB5025229 was released on 11th April 2023.
- KB5026362 corresponds to Windows Server 2019 server build 17763.4377. KB5025229 is server build 17763.4252. So, an upgrade from April cumulative update to the May update implies an upgrade from 4252 to 4377.
- Servicing Stack Update KB5005112 needs to be deployed on Windows Server 2019 before deploying KB5026362. Since this SSU was released in August 2021, there is a high possibility that you may have installed KB5005112 on the server already.
- 19 security vulnerabilities have been disclosed for Windows Server 2019. 5 of these vulnerabilities have ‘CRITICAL’ vulnerability while the remaining 14 have ‘IMPORTANT’ severity.
- 3 zero-day threats impact Windows Server 2019. These are shared in the vulnerability section below.
Download KB5026362
KB5026362 can be applied on Windows Server 2019 automatically. The automatic approach could make use of any of the following methods:
- Windows Update
- Windows Update for Business
- WSUS or Windows Server Update Service
KB5026362 can be applied manually. For this, you can download the offline installer file from the Microsoft Update Catalog website.
For the records, we are sharing the catalog links and direct download links for KB5026362.
- Download KB5026362 from the Microsoft Update Catalog page – the size of the update file is 599.1 MB.
- Direct download link for the KB5026362 offline installer.
If you did not install KB5005112 yet, you can download the Servicing Stack Update from one of the following links:
- Download KB5005112 from the Microsoft Update Catalog website. The size of the update file is 13.8 MB.
- Download KB5005112 offline installer file.
It may be pertinent to mention that the Servicing Stack Updates do not cause server reboot.
And, it would be a good idea to understand that the SSU for Windows 10 version 1809 is now included in the cumulative update. Separate installation for the latest SSU is not needed on Windows 10.
For Windows Server 2019, you will need to follow the suggested SSU instructions by Microsoft. In this month’s prerequisite, we need to ensure KB5005112 is already there on the server prior to pushing KB5026362 on the server.
Vulnerabilities on Windows Server 2019
The security bulletin for May 2023 includes 19 vulnerabilities that impact Windows Server 2019. We restrict our focus on zero-day threats and ‘CRITICAL’ vulnerabilities.
Zero-day threats
The 3 zero-day threats that affect Windows Server 2019 are mentioned below.
| Vulnerability | CVSS Score | Severity | Impact | Comments |
|---|---|---|---|---|
| CVE-2023-24932 | 6.7 | IMPORTANT | Secure Boot Security Feature Bypass | In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email. This could result in the attacker executing remote code on the victim’s machine. As part of the fix, Microsoft suggests reading emails in plain text in Microsoft Outlook. |
| CVE-2023-29325 | 8.1 | CRITICAL | Remote Code Execution | In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email. This could result in the attacker executing remote code on the victim’s machine. As part of the fix, Microsoft suggests reading emails in plain text in Microsoft Outlook. |
| CVE-2023-29336 | 7.8 | IMPORTANT | Elevation of Privileges | An attacker who successfully exploited this vulnerability could bypass Secure Boot. The attacker needs to have physical access or Administrative rights to a target device. To patch this vulnerability, please read the instructions on this page. |
CRITICAL vulnerabilities on Windows Server 2019
The 5 CRITICAL vulnerabilities that affect Windows Server 2019 are shared below. The mitigation steps, if any, have been mentioned as well.
| Vulnerability | CVSS Score | Severity | Impact | Comments |
|---|---|---|---|---|
| CVE-2023-24941 | 9.8 | CRITICAL | Remote Code Execution | This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). Mitigation steps are shared in the Microsoft advisory for CVE-2023-24941. |
| CVE-2023-24943 | 9.8 | CRITICAL | Remote Code Execution | When Windows Message Queuing service is running in a Pragmatic General Multicast (PGM) Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code. To mitigate risk, Microsoft recommends customers deploy newer technologies such as Unicast or Multicast server. Read more details of this vulnerability on the Microsoft advisory page. |
| CVE-2023-29325 | 8.1 | CRITICAL | Remote Code Execution | An attacker could exploit the vulnerability by sending the specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email. This could result in the attacker executing remote code on the victim’s machine. To mitigate this vulnerability, Microsoft recommends users read email messages in plain text format |
| CVE-2023-24903 | 8.1 | CRITICAL | Remote Code Execution | This RCE vulnerability exists in Windows Secure Socket Tunneling Protocol (SSTP). To exploit this vulnerability, an attacker would need to send a specially crafted malicious SSTP packet to a SSTP server. This could result in remote code execution on the server side. |
| CVE-2023-28283 | 8.1 | CRITICAL | Remote Code Execution | This RCE vulnerability exists in Windows Lightweight Directory Access Protocol (LDAP). An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through a specially crafted set of LDAP calls to execute arbitrary code within the context of the LDAP service. |
KB5026362 Changelog
The following improvements and changes are part of the KB5026362 cumulative update for Windows Server 2019:
- This update addresses issues that affect the 32-bit version of Windows Calculator.
- This update addresses an issue that affects Microsoft Edge IE mode. The issue stops you from configuring add-ons.
- This update addresses security issues for your Windows operating system.
- This update addresses an issue that affects conhost.exe. It stops responding.
- This update affects the Islamic Republic of Iran. The update supports the government’s daylight saving time change order from 2022.
- The update addresses an issue that affects the Remote Procedure Call Service (RPCSS). A lock order inversion causes a deadlock in it.
- This update addresses an issue that affects the Key Distribution Center (KDC) service. When the service stops on a local machine, signing in to all local Kerberos fails. The error is STATUS_NETLOGON_NOT_STARTED.
- This update addresses an issue that affects accounts that run the Set-AdfsCertificate command. The command fails. This occurs when an account does not have read permissions for the related Distributed Key Manager (DKM) container.
- This update addresses an Active Directory Federation Services (AD FS). You might need to retry authentication multiple times to sign in successfully.
- This update addresses an issue that affects SMB Direct. Endpoints might not be available on systems that use multi-byte character sets.
- This update addresses an issue that might affect the Windows Local Administrator Password Solution (LAPS). It might fail. This occurs on versions of Windows Server 2019 that run Server Core. The error is 0x8007007f.
- This update addresses an issue that affects apps that use DirectX on older Intel graphics drivers. You might receive an error from apphelp.dll.
- This update addresses a race condition in Windows LAPS. The Local Security Authority Subsystem Service (LSASS) might stop responding. This occurs when the system processes multiple local account operations at the same time. The access violation error code is 0xc0000005.
- This update addresses an issue that affects the legacy Local Administrator Password Solution (LAPS) and the new Windows LAPS feature. They fail to manage the configured local account password. This occurs when you install the legacy LAPS .msi file after you have installed the April 11, 2023, Windows update on machines that have a legacy LAPS policy.
Important links for KB5026362
- Microsoft release notes for KB5026362
- Catalog site for KB5026362
- Zero-day initiative vulnerability coverage for May 2023 security updates
- Download file information for KB5026362 (downloads as a CSV file from the Microsoft site)
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.