Always On VPN NPS and PEAP Vulnerabilities

The February 2023 security updates for Windows Server address multiple vulnerabilities that affect Microsoft Always On VPN administrators. This latest update addresses multiple critical and important vulnerabilities in the Network Policy Server (NPS), commonly used to perform RADIUS authentication for Always On VPN servers. Specifically, there are several Remote Code Execution (RCE) and Denial of Service (DoS) vulnerabilities with Protected Extensible Authentication Protocol (PEAP). PEAP with user authentication certificates is the authentication protocol of choice for Always On VPN user tunnel authentication.

Vulnerabilities

The following is a list of vulnerabilities in PEAP addressed in the February 2023 security update.

  • CVE-2023-21689Microsoft PEAP Remote Code Execution Vulnerability (critical)
  • CVE-2023-21690Microsoft PEAP Remote Code Execution Vulnerability (critical)
  • CVE-2023-21691Microsoft PEAP Information Disclosure vulnerability (important)
  • CVE-2023-21692Microsoft PEAP Remote Code Execution Vulnerability (critical)
  • CVE-2023-21695Microsoft PEAP Remote Code Execution Vulnerability (important)
  • CVE-2023-21701Microsoft PEAP Denial of Service Vulnerability (important)

Mitigation

Unauthenticated attackers can exploit the RCE vulnerabilities in PEAP on Microsoft Windows NPS servers. However, NPS servers should not be exposed directly to the Internet and would require an attacker to have access to the internal network already. However, administrators are advised to apply this update to their NPS servers as soon as possible. In addition, organizations that deploy the NPS role on enterprise domain controllers should update immediately.

Additional Information

February 2023 Update for Windows Server 2022 (KB5022842)

February 2023 Update for Windows Server 2019 (KB022840)

February 2023 Update for Windows Server 2016 (KB5022838)

Leave a comment

2 Comments

  1. Lion

     /  August 17, 2023

    Hello Richard,

    We currently use PEAP with EAP-TLS (user certificate) for authentication at the user tunnel. We are considering switching to EAP-TLS (user certificate) as there should be no significant difference in terms of security. What do you recommend?

    Best regards

    Reply
    • For VPN (any VPN, not just Always On VPN) we always encourage the use of PEAP with user certificate credentials (EAP-TLS). This is because the VPN is exposed to the public Internet with no access controls. Anyone, from anywhere, can attempt to establish a connection. However, using EAP-TLS (with user certificates or username/password) can be acceptable for Wi-Fi networks as the exposure is limited to devices within range of the access point.

      Ultimately, the choice is yours as to which authentication scheme you choose. It really comes down to the level of risk you are willing to accept for remote access users.

      Hope that helps!

      Reply

Leave a Reply

%d bloggers like this: