Once again, it’s time to patch! After several quiet months, there are a few crucial updates Always On VPN administrators will want to get deployed soon. Thankfully, the impact of the security updates related to Always On VPN is low this time, as there is only one Remote Code Execution (RCE) vulnerability, and it’s for a legacy protocol that should be in limited use today.
IKEv2
CVE-2023-36726 addresses a security vulnerability in Windows Internet Key Exchange (IKE) that can lead to privilege escalation. An attacker who successfully exploits this vulnerability can elevate privileges to that of the local SYSTEM.
L2TP
This month’s update discloses several Layer Two Tunneling Protocol (L2TP) vulnerabilities. The following CVEs all address a vulnerability where an attacker can send a specially crafted protocol message to a Windows Routing and Remote Access Service (RRAS) server, which could lead to remote code execution on the server.
- CVE-2023-38166
- CVE-2023-41765
- CVE-2023-41767
- CVE-2023-41768
- CVE-2023-41769
- CVE-2023-41770
- CVE-2023-41771
- CVE-2023-41773
- CVE-2023-41774
Mitigation
The impact of the L2TP security vulnerabilities should be minimal in most organizations. L2TP is a legacy VPN protocol not commonly used for Always On VPN. However, misconfiguration can leave vulnerable RRAS servers exposed. Administrators must ensure that inbound UDP port 1723 is not open from the Internet. In addition, L2TP should be disabled on the RRAS server if not in use. See the article on the May 2023 security updates for details.
