November 2024 Microsoft Security Updates and DirectAccess

With the November 2024 security updates, Microsoft disclosed a vulnerability (CVE-2024-43639) in the Windows Server KDC Proxy service. This is a Remote Code Execution (RCE) vulnerability with a max severity rating of Critical. If you still use Microsoft DirectAccess for remote access, you’ll want to pay close attention to this bulletin.

KDC Proxy and DirectAccess

When DirectAccess is installed and configured, the KDC Proxy Service is enabled automatically and by default. By design, DirectAccess servers are exposed to the Internet, which significantly increases the risk of this vulnerability. Organizations that have deployed DirectAccess are encouraged to update their systems immediately.

Workaround

There is no known workaround available at this time. Apply the latest security updates to mitigate this risk.

Additional Information

Windows KDC Proxy Remote Code Execution Vulnerability

Microsoft DirectAccess Formally Deprecated

Always On VPN Security Updates October 2024

Microsoft has released the October 2024 security updates, and numerous issues may impact Always On VPN administrators. Although many CVEs affect Always On VPN-related services that are Remote Code Execution (RCE) vulnerabilities, none are critical this cycle.

RRAS Updates

This month, Microsoft has provided 12 updates for the Windows Server Routing and Remote Access Service (RRAS), commonly deployed to support Always On VPN deployments. Most of these CVEs involve overflow vulnerabilities (heap and stack), input validation weaknesses, and buffer over-read and overflow vulnerabilities. All are rated important, and there are no known exploits currently.

CVE-2024-38212

CVE-2024-38261

CVE-2024-38265

CVE-2024-43453

CVE-2024-43549

CVE-2024-43564

CVE-2024-43589

CVE-2024-43592

CVE-2024-43593

CVE-2024-43607

CVE-2024-43608

CVE-2024-43611

Related Updates

In addition to the updates above, Microsoft also released fixes for security vulnerabilities in various related services that are important to Always On VPN administrators.

Windows Network Address Translation (NAT)

The following CVEs address denial of service vulnerabilities in the Network Address Translation (NAT) service.

CVE-2024-43562

CVE-2024-43565

Certificate Services

Always On VPN administrators will also find updates for CVEs affecting various certificate services-related components.

CVE-2024-43545OCSP Denial of Service Vulnerability

CVE-2024-43541Simple Certificate Enrollment Protocol (SCEP) Denial of Service Vulnerability

CVE-2024-43544Simple Certificate Enrollment Protocol (SCEP) Denial of Service Vulnerability

Recommendations

Always On VPN administrators are encouraged to update systems as soon as possible. However, since none of the CVEs is rated Critical, updates can be applied during standard update windows.

Additional Information

Microsoft October 2024 Security Updates

DirectAccess and CVE-2024-38063

With the August 2024 Windows security updates, Microsoft released a fix to address a Remote Code Execution vulnerability in the Windows TCP/IP stack (CVE-2024-38063). Critically, this vulnerability affects IPv6 only and does not require authentication or user interaction to exploit. An attacker would only need to send specially crafted IPv6 packets to a Windows host, which could allow them to run arbitrary code on the server. This vulnerability presents some unique challenges for organizations that have deployed DirectAccess.

Exposure

DirectAccess servers are deployed to provide secure remote access and are, necessarily, exposed to the public Internet. Sometimes, this is a direct connection (not recommended) or behind an edge firewall or load balancer. In either case, anyone can establish a TCP connection from the Internet to the DirectAccess server by default. If the DirectAccess server has a global unicast IPv6 address assigned to its external interface, that presents a worst-case scenario for exposure. Administrators should update their DirectAccess servers immediately. There are some other mitigation options, though. See below for more details.

IPv6 Transition

DirectAccess servers are usually reachable on the public Internet via IPv4 only. The lack of direct IPv6 connectivity significantly reduces the attack vector for this vulnerability. However, DirectAccess servers use various IPv6 transition technologies that could present additional risks.

Tunnel Establishment

Clients on the Internet can establish an IPv6 transition tunnel to the DirectAccess server without authentication. Once the tunnel is established, the client will receive a router advertisement (RA) and establish an IPv6 address on link. However, communication over the link requires IPsec. Although an attacker can obtain an IPv6 address, they require authentication to send TCP and UDP traffic inside the tunnel.

ICMP

It’s important to know that ICMP traffic inside the DirectAccess IPv6 transition tunnel is exempt from IPsec policy processing, by default. It is unclear whether the “specially crafted packets” an attacker must send to exploit this vulnerability can be ICMP packets. If that’s the case, this introduces significant risks and increases exposure exponentially. I will update this post if I learn anything more about this specifically.

Mitigation

The best and most obvious way to mitigate this attack is to immediately apply the Microsoft security updates. However, some additional controls can be effective in mitigating this risk.

Authentication

As mentioned, DirectAccess allows IPv6 transition tunnels to be established by default without authentication. However, it is possible to update the DirectAccess configuration to support authentication, as described here.

https://directaccess.richardhicks.com/2016/06/13/directaccess-ip-https-preauthentication/

Note: Updating the DirectAccess configuration can be impactful for remote users. Be sure to test this change in a lab environment before implementing in production.

Load Balancers

If the DirectAccess server is behind a load balancer, it can be configured to require authentication for DirectAccess IPv6 transition tunnels. Below is published guidance for configuring popular load balancers to support this.

F5 BIG-IP

Citrix ADC (formerly NetScaler)

Additional Information

Microsoft Windows TCP/IP Remote Code Execution Vulnerability

DirectAccess IP-HTTPS Preauthentication

DirectAccess IP-HTTPS Preauthentication using F5 BIG-IP

DirectAccess IP-HTTPS Preauthentication using Citrix ADC (formerly NetScaler)