Microsoft Releases Emergency Patches for Critical Windows Server Bug
System administrators, take note: Microsoft has released urgent out-of-band (OOB) security updates to address a significant bug affecting several versions of Windows Server. This emergency patch corrects a flaw introduced by the April 2023 security updates that was preventing administrators from using Windows Server Update Services (WSUS) correctly.
The timing of this fix is critical, as the original patch was intended to fix a severe vulnerability for which a proof-of-concept exploit is now publicly available.
The Problem: A Bug in the WSUS Workflow
Following the installation of the April 2023 cumulative updates, administrators discovered a disruptive issue. When attempting to import updates from the Microsoft Update Catalog into WSUS, the process would fail. This bug effectively broke a core function for many IT teams who rely on WSUS to manage and distribute patches across their server infrastructure.
The issue specifically impacts the following platforms:
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
This meant that while servers were protected from certain vulnerabilities, the tool used to manage those protections was now partially disabled, creating a new set of administrative and security challenges.
The Underlying Threat: A Wormable RCE Vulnerability
The April update that inadvertently caused the WSUS bug was designed to patch a highly critical remote code execution (RCE) vulnerability in the Windows Message Queuing (MSMQ) service. Tracked as CVE-2023-21554, this vulnerability carries a CVSS score of 9.8 out of 10, marking it as extremely dangerous.
An attacker who successfully exploits this flaw could execute arbitrary code with elevated privileges on a target server. What makes this vulnerability particularly alarming is that it is considered “wormable,” meaning an exploit could potentially spread automatically from one vulnerable server to another without any user interaction, similar to infamous threats like WannaCry.
The recent publication of a proof-of-concept exploit for CVE-2023-21554 has significantly increased the risk, turning a theoretical threat into a practical one. This makes patching not just recommended, but absolutely essential.
Your Action Plan: How to Secure Your Systems
To address both the WSUS bug and the underlying MSMQ vulnerability, administrators must take immediate action. These new emergency patches are not being distributed via Windows Update and must be manually downloaded and installed.
1. Identify Affected Servers:
First, confirm which of your servers are running the affected operating systems: Windows Server 2022, 2019, or 2016.
2. Download and Install the OOB Patch Manually:
You must go to the Microsoft Update Catalog to download the appropriate cumulative update for your system. These patches supersede the problematic April updates.
- Important Note: These OOB updates are cumulative. This means that if you have not yet installed the April 2023 updates, you can skip them and install this new OOB update directly. It includes all the necessary security fixes as well as the solution for the WSUS bug.
3. Check Your MSMQ Service Status:
The MSMQ service is not installed by default on Windows Server. The CVE-2023-21554 vulnerability is only exploitable if this service is enabled. You can check if your server is running the service by:
- Opening PowerShell and running the
Get-WindowsFeaturecommand to check for “Message-Queuing”. - Checking if a service named “Message Queuing” is running and listening on TCP port 1801.
Even if the service is not enabled, applying the patch is the recommended best practice to ensure comprehensive security and restore full WSUS functionality.
In summary, this is a two-pronged issue: a functional bug hindering patch management and a critical, exploitable vulnerability. Don’t delay—review your systems and apply these critical updates immediately to ensure your infrastructure remains secure and fully operational.
Source: https://www.bleepingcomputer.com/news/security/microsoft-releases-windows-server-emergency-updates-for-critical-wsus-rce-flaw/
