All posts in category CVE

Always On VPN April 2024 Security Updates

Microsoft has released its security updates for April 2024. This month, a few vulnerabilities are potentially impacting Always On VPN administrators. Specifically, three updates address issues with the Windows Server Routing and Remote Access Service (RRAS). In addition, vulnerabilities affect the Remote Access Connection Manager (RasMan) service, affecting both VPN servers and clients.

RRAS

Windows Server Routing and Remote Access (RRAS) has three security updates available this month. All three are Remote Code Execution (RCE) vulnerabilities but require user interaction to exploit the vulnerability. All three updates are rated as Important.

CVE-2024-26179

CVE-2024-26200

CVE-2024-26205

RasMan

In addition to the vulnerabilities in RRAS, Microsoft announced numerous updates for vulnerabilities discovered in the Remote Access Connection Manager (RasMan) service. These vulnerabilities are related to information disclosure via buffer overruns. These updates affect both Windows RRAS servers and Windows Always On VPN clients. All updates are rated as Important.

CVE-2024-26207

CVE-2024-26211

CVE-2024-26217

CVE-2024-26255

CVE-2024-28900

CVE-2024-28901

CVE-2024-28902

Recommendations

While none of these vulnerabilities are critical, Always On VPN administrators are urged to update their affected systems soon.

Additional Information

April 2024 Security Updates

Leave a comment
by Richard M. Hicks on April 9, 2024  •  Permalink
Posted in Always On VPN, AOVPN, CVE, Enterprise, enterprise mobility, Hotfix, Infrastructure, Microsoft, Mobility, Operational Support, Remote Access, routing and remote access service, RRAS, Security, Security Update, Update, VPN, Vulnerability, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , ,

Posted by Richard M. Hicks on April 9, 2024

https://directaccess.richardhicks.com/2024/04/09/always-on-vpn-april-2024-security-updates/

Always On VPN November 2023 Security Updates

Microsoft has released its security updates for November 2023. For Always On VPN administrators, it’s a light month, with just a single CVE affecting Always On VPN infrastructure.

PEAP

CVE-2023-36028 addresses a remote code execution (RCE) vulnerability in the Microsoft Protected Extensible Authentication Protocol (PEAP). An attacker could exploit this vulnerability by sending a specially crafted PEAP packet to a Windows Network Policy Server (NPS). This attack does not require authentication or user interaction.

Affected Systems

This PEAP vulnerability affects only NPS servers configured to support PEAP authentication explicitly. PEAP authentication is a best practice configuration for Always On VPN deployments and is widely deployed. NPS servers deployed to support other services, such as Wi-Fi or router and switch access that are configured to allow PEAP authentication, are also affected.

Exposure

NPS servers are not (or should not be!) exposed directly to the public Internet. This limits the attack surface to adversaries already on the internal network.

Mitigation

Microsoft suggests disabling PEAP authentication support on NPS servers until the update is applied. However, this would break the majority of Always On VPN deployments today. Since disabling PEAP isn’t a viable option, administrators can reduce their attack surface by updating the NPS firewall rules to restrict access only to authorized VPN servers or other network devices until their systems are fully updated.

Additional Information

November 2023 Security Updates

CVE-2023-36028 PEAP Remote Code Execution Vulnerability

4 Comments
by Richard M. Hicks on November 14, 2023  •  Permalink
Posted in Active Directory, administration, Always On VPN, AOVPN, authentication, CVE, EAP, Enterprise, enterprise mobility, Infrastructure, Microsoft, Mobility, network policy server, NPS, Operational Support, PEAP, Protected EAP, Remote Access, Security, Security Update, Update, user tunnel, VPN, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on November 14, 2023

https://directaccess.richardhicks.com/2023/11/14/always-on-vpn-november-2023-security-updates/

Always On VPN July 2023 Security Updates

Hello, Always On VPN administrators! It’s the second Tuesday of the month, so you know what that means. Yes, it’s Patch Tuesday! This month’s security updates include several fixes for vulnerabilities potentially affecting Microsoft Always On VPN deployments.

RRAS Vulnerabilities

Microsoft’s July 2023 security updates include fixes affecting Windows Servers with the Routing and Remote Access Service (RRAS) role installed. Security vulnerabilities CVE-2023-35365, CVE-2023-35366, and CVE-2023-35367 are all Remote Code Execution (RCE) vulnerabilities with a Critical security rating and a CVSS score of 9.8. These security vulnerabilities in Windows Server RRAS are particularly troublesome due to the nature of the workload. RRAS servers are, by design, exposed to the public Internet. Although there are no known exploits in the wild at this time, this attack requires no special privileges other than network access. Administrators running Windows Server with RRAS installed are encouraged to update as soon as possible.

AD CS Vulnerabilities

Most Always On VPN implementations leverage enterprise PKI certificates for user and device authentication. Administrators commonly deploy Microsoft Active Directory Certificate Services (AD CS) to support this. This month there are two security vulnerabilities in AD CS marked as Important. CVE-2023-35350 and CVE-2023-35351 address RCE vulnerabilities that exploit a race condition on the server. However, AD CS servers are not exposed to untrusted networks. In addition, attackers would require administrative rights on the server to exploit these vulnerabilities.

Network Load Balancing

Finally, of importance to Always On VPN administrators using Windows Network Load Balancing (NLB) to provide load balancing for their RRAS servers, there is a vulnerability in the NLB service. CVE-2023-33163 addresses an RCE vulnerability in NLB identified as Important.

Additional Information

Microsoft July 2023 Security Updates

Windows Server 2022 KB5028171 (Build 20348.1850)

Windows Server 2019 KB5028168 (Build 17763.4645)

Windows Server 2016 KB 5028169 (Build 14393.6085)

Windows 11 22H2 KB8028185 (Build 22621.1992)

Windows 11 21H2 KB5028182 (Build 22000.2176)

Leave a comment
by Richard M. Hicks on July 11, 2023  •  Permalink
Posted in Active Directory, Active Directory Certificate Services, AD CS, administration, Always On VPN, AOVPN, Certificate Services, certificates, CVE, Deployment, Device Management, Enterprise, enterprise mobility, Hotfix, Infrastructure, Load Balancing, Microsoft, Mobility, Operational Support, PKI, public key infrastructure, Remote Access, routing and remote access service, RRAS, Security, Security Update, Update, VPN, Vulnerability, Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022
Tagged , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted by Richard M. Hicks on July 11, 2023

https://directaccess.richardhicks.com/2023/07/11/always-on-vpn-july-2023-security-updates/