
The February 2023 security updates for Windows Server address multiple vulnerabilities that affect Microsoft Always On VPN administrators. This latest update addresses multiple critical and important vulnerabilities in the Network Policy Server (NPS), commonly used to perform RADIUS authentication for Always On VPN servers. Specifically, there are several Remote Code Execution (RCE) and Denial of Service (DoS) vulnerabilities with Protected Extensible Authentication Protocol (PEAP). PEAP with user authentication certificates is the authentication protocol of choice for Always On VPN user tunnel authentication.
Vulnerabilities
The following is a list of vulnerabilities in PEAP addressed in the February 2023 security update.
- CVE-2023-21689 – Microsoft PEAP Remote Code Execution Vulnerability (critical)
- CVE-2023-21690 – Microsoft PEAP Remote Code Execution Vulnerability (critical)
- CVE-2023-21691 – Microsoft PEAP Information Disclosure vulnerability (important)
- CVE-2023-21692 – Microsoft PEAP Remote Code Execution Vulnerability (critical)
- CVE-2023-21695 – Microsoft PEAP Remote Code Execution Vulnerability (important)
- CVE-2023-21701 – Microsoft PEAP Denial of Service Vulnerability (important)
Mitigation
Unauthenticated attackers can exploit the RCE vulnerabilities in PEAP on Microsoft Windows NPS servers. However, NPS servers should not be exposed directly to the Internet and would require an attacker to have access to the internal network already. However, administrators are advised to apply this update to their NPS servers as soon as possible. In addition, organizations that deploy the NPS role on enterprise domain controllers should update immediately.
Additional Information
February 2023 Update for Windows Server 2022 (KB5022842)
Lion
/ August 17, 2023Hello Richard,
We currently use PEAP with EAP-TLS (user certificate) for authentication at the user tunnel. We are considering switching to EAP-TLS (user certificate) as there should be no significant difference in terms of security. What do you recommend?
Best regards
Richard M. Hicks
/ August 17, 2023For VPN (any VPN, not just Always On VPN) we always encourage the use of PEAP with user certificate credentials (EAP-TLS). This is because the VPN is exposed to the public Internet with no access controls. Anyone, from anywhere, can attempt to establish a connection. However, using EAP-TLS (with user certificates or username/password) can be acceptable for Wi-Fi networks as the exposure is limited to devices within range of the access point.
Ultimately, the choice is yours as to which authentication scheme you choose. It really comes down to the level of risk you are willing to accept for remote access users.
Hope that helps!