Microsoft has released the October 2024 security updates, and numerous issues may impact Always On VPN administrators. Although many CVEs affect Always On VPN-related services that are Remote Code Execution (RCE) vulnerabilities, none are critical this cycle.
RRAS Updates
This month, Microsoft has provided 12 updates for the Windows Server Routing and Remote Access Service (RRAS), commonly deployed to support Always On VPN deployments. Most of these CVEs involve overflow vulnerabilities (heap and stack), input validation weaknesses, and buffer over-read and overflow vulnerabilities. All are rated important, and there are no known exploits currently.
Related Updates
In addition to the updates above, Microsoft also released fixes for security vulnerabilities in various related services that are important to Always On VPN administrators.
Windows Network Address Translation (NAT)
The following CVEs address denial of service vulnerabilities in the Network Address Translation (NAT) service.
Certificate Services
Always On VPN administrators will also find updates for CVEs affecting various certificate services-related components.
CVE-2024-43545 – OCSP Denial of Service Vulnerability
CVE-2024-43541 – Simple Certificate Enrollment Protocol (SCEP) Denial of Service Vulnerability
CVE-2024-43544 – Simple Certificate Enrollment Protocol (SCEP) Denial of Service Vulnerability
Recommendations
Always On VPN administrators are encouraged to update systems as soon as possible. However, since none of the CVEs is rated Critical, updates can be applied during standard update windows.
