Always On VPN November 2023 Security Updates

Microsoft has released its security updates for November 2023. For Always On VPN administrators, it’s a light month, with just a single CVE affecting Always On VPN infrastructure.

PEAP

CVE-2023-36028 addresses a remote code execution (RCE) vulnerability in the Microsoft Protected Extensible Authentication Protocol (PEAP). An attacker could exploit this vulnerability by sending a specially crafted PEAP packet to a Windows Network Policy Server (NPS). This attack does not require authentication or user interaction.

Affected Systems

This PEAP vulnerability affects only NPS servers configured to support PEAP authentication explicitly. PEAP authentication is a best practice configuration for Always On VPN deployments and is widely deployed. NPS servers deployed to support other services, such as Wi-Fi or router and switch access that are configured to allow PEAP authentication, are also affected.

Exposure

NPS servers are not (or should not be!) exposed directly to the public Internet. This limits the attack surface to adversaries already on the internal network.

Mitigation

Microsoft suggests disabling PEAP authentication support on NPS servers until the update is applied. However, this would break the majority of Always On VPN deployments today. Since disabling PEAP isn’t a viable option, administrators can reduce their attack surface by updating the NPS firewall rules to restrict access only to authorized VPN servers or other network devices until their systems are fully updated.

Additional Information

November 2023 Security Updates

CVE-2023-36028 PEAP Remote Code Execution Vulnerability

4 Comments
by Richard M. Hicks on November 14, 2023  •  Permalink
Posted in Active Directory, administration, Always On VPN, AOVPN, authentication, CVE, EAP, Enterprise, enterprise mobility, Infrastructure, Microsoft, Mobility, network policy server, NPS, Operational Support, PEAP, Protected EAP, Remote Access, Security, Security Update, Update, user tunnel, VPN, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 14, 2023

https://directaccess.richardhicks.com/2023/11/14/always-on-vpn-november-2023-security-updates/

Previous Post
Next Post
Leave a comment

4 Comments

  1. David Henderson

     /  November 15, 2023

    Hi Richard, Do you know if the updates has been released for Server 2022 via windows Update yet… My servers seem to be showing as “up to date” even though last installed updates where October I thought update where released on 14th this month ? (I am located in UK)

    Reply

    • Richard M. Hicks

       /  November 15, 2023

      They should be. I just checked and all my test systems updated last night (early this morning, technically). Not sure if there’s a delay for the UK, but I wouldn’t think so.

      Give it another shot today and let me know what happens.

      Reply

  2. Martin Asanza

     /  November 15, 2023

    server updated. thanks for the heads up.

    Reply

Leave a Reply

Discover more from Richard M. Hicks Consulting, Inc.

Subscribe now to keep reading and get access to the full archive.

Continue reading