DirectAccess and CVE-2024-38063

With the August 2024 Windows security updates, Microsoft released a fix to address a Remote Code Execution vulnerability in the Windows TCP/IP stack (CVE-2024-38063). Critically, this vulnerability affects IPv6 only and does not require authentication or user interaction to exploit. An attacker would only need to send specially crafted IPv6 packets to a Windows host, which could allow them to run arbitrary code on the server. This vulnerability presents some unique challenges for organizations that have deployed DirectAccess.

Exposure

DirectAccess servers are deployed to provide secure remote access and are, necessarily, exposed to the public Internet. Sometimes, this is a direct connection (not recommended) or behind an edge firewall or load balancer. In either case, anyone can establish a TCP connection from the Internet to the DirectAccess server by default. If the DirectAccess server has a global unicast IPv6 address assigned to its external interface, that presents a worst-case scenario for exposure. Administrators should update their DirectAccess servers immediately. There are some other mitigation options, though. See below for more details.

IPv6 Transition

DirectAccess servers are usually reachable on the public Internet via IPv4 only. The lack of direct IPv6 connectivity significantly reduces the attack vector for this vulnerability. However, DirectAccess servers use various IPv6 transition technologies that could present additional risks.

Tunnel Establishment

Clients on the Internet can establish an IPv6 transition tunnel to the DirectAccess server without authentication. Once the tunnel is established, the client will receive a router advertisement (RA) and establish an IPv6 address on link. However, communication over the link requires IPsec. Although an attacker can obtain an IPv6 address, they require authentication to send TCP and UDP traffic inside the tunnel.

ICMP

It’s important to know that ICMP traffic inside the DirectAccess IPv6 transition tunnel is exempt from IPsec policy processing, by default. It is unclear whether the “specially crafted packets” an attacker must send to exploit this vulnerability can be ICMP packets. If that’s the case, this introduces significant risks and increases exposure exponentially. I will update this post if I learn anything more about this specifically.

Mitigation

The best and most obvious way to mitigate this attack is to immediately apply the Microsoft security updates. However, some additional controls can be effective in mitigating this risk.

Authentication

As mentioned, DirectAccess allows IPv6 transition tunnels to be established by default without authentication. However, it is possible to update the DirectAccess configuration to support authentication, as described here.

https://directaccess.richardhicks.com/2016/06/13/directaccess-ip-https-preauthentication/

Note: Updating the DirectAccess configuration can be impactful for remote users. Be sure to test this change in a lab environment before implementing in production.

Load Balancers

If the DirectAccess server is behind a load balancer, it can be configured to require authentication for DirectAccess IPv6 transition tunnels. Below is published guidance for configuring popular load balancers to support this.

F5 BIG-IP

Citrix ADC (formerly NetScaler)

Additional Information

Microsoft Windows TCP/IP Remote Code Execution Vulnerability

DirectAccess IP-HTTPS Preauthentication

DirectAccess IP-HTTPS Preauthentication using F5 BIG-IP

DirectAccess IP-HTTPS Preauthentication using Citrix ADC (formerly NetScaler)

Always On VPN Security Updates August 2024

Today is the second Tuesday of the month, so Windows Server administrators everywhere know what that means – it’s Update Tuesday! For Always On VPN administrators in particular there are a few security updates that affect Windows Server Routing and Remote Access (RRAS), which is a popular VPN server used to support Always On VPN implementations. While many of these updates address Remote Code Execution vulnerabilities, non are considered critical.

RRAS Updates

This month there are six vulnerabilities disclosed affecting Windows Server RRAS.

CVE-2024-38120 – Windows RRAS Remote Code Execution Vulnerability (Important)

CVE-2024-38121 – Windows RRAS Remote Code Execution Vulnerability (Important)

CVE-2024-38128 – Windows RRAS Remote Code Execution Vulnerability (Important)

CVE-2024-38130 – Windows RRAS Remote Code Execution Vulnerability (Important)

CVE-2024-38154 – Windows RRAS Remote Code Execution Vulnerability (Important)

CVE-2024-38214 – Windows RRAS Remote Code Execution Vulnerability (Important)

Additional Updates

In addition to the updates addressing vulnerabilities in Windows Server RRAS, there are also updates available for the Windows Network Address Translation (NAT), Windows Transport Layer Security (TLS), and Windows IP Routing Management snapin that could potentially impact Always On VPN deployments.

Recommendations

None of the security vulnerabilities disclosed this month are critical. Although the RRAS vulnerabilities are remote code execution, exploitation is unlikely. However, administrators are encouraged to update their systems as soon as possible.

Additional Information

Microsoft August 2024 Security Updates

Always On VPN and Blast-RADIUS

Microsoft released an update for the Windows Server Network Policy Server (NPS) to address recently disclosed vulnerabilities in the Remote Access Dial-In User Service (RADIUS) protocol in the July 2024 security updates. RADIUS is an industry-standard authentication protocol widely used for remote access, including Always On VPN. The RADIUS protocol was first introduced in the early 1990s and, unfortunately, still relies on the deprecated MD5 cryptographic hash function. The good news is that this vulnerability does not affect Always On VPN. Read on to learn more.

Blast-RADIUS

Blast-RADIUS is an attack on the RADIUS protocol that allows an attacker to alter network authentication packets to gain access to a service relying on RADIUS for authentication by exploiting the weakness of MD5 integrity checks in RADIUS. In the absence other controls, an attacker could alter an authentication response and change the reply from Access-Reject to Access-Accept.

Considerations

It’s important to note that leveraging this attack is not trivial. It requires local network access, so the attacker must have a presence on the target network to carry out this attack. However, cloud-hosted RADIUS services are inherently more vulnerable. In addition, the attack is mostly academic today because the default timeout for authentication requests is typically short, usually between 5 and 30 seconds. This is not enough time (today) for an attacker to mount the attack. However, this attack could become more feasible if authentication timeouts are increased (sometimes required to support MFA) or if an attacker has access to vast computing resources.

Affected Protocols

Although Blast-RADIUS is a vulnerability in the RADIUS protocol itself, not all authentication protocols are affected. Specifically, this vulnerability affects services leveraging PAP, CHAP, MS-CHAP, and MS-CHAPv2. Extensible Authentication Protocol (EAP) and Protected Extensible Authentication Protocol (PEAP) are not vulnerable to this attack. Since Always On VPN requires EAP authentication, it is not susceptible to this attack.

Mitigation

Microsoft has published guidance in KB5040268 for mitigating Blast-RADIUS attacks on Windows NPS servers. Specifically, administrators are encouraged to enable the Message-Authenticator attribute in Access-Request packets sent by the network access server and to ensure the NPS server requires the Message-Authenticator attribute in any Access-Request messages it receives.

Note: The following changes are not required for Always On VPN or any other workload using EAP-TLS or Protected EAP, as these protocols use TLS natively to protect the authentication exchange.

NPS

To configure this setting in the UI, open the NPS management console (nps.msc) and perform the following steps.

  1. Expand RADIUS Clients and Servers.
  2. Highlight RADIUS Clients.
  3. Right-click the RADIUS client to configure and choose Properties.
  4. Select the Advanced tab.
  5. Check the box next to Access-Request messages must contain the Message-Authenticator attribute.

PowerShell

To configure this setting using PowerShell, open an elevated PowerShell command window and run the following command.

Set-NpsRadiusClient -Name <RADIUS client name> -AuthAttributeRequired $True

Additional NPS Settings

Administrators should also run the following commands on their NPS servers to further protect their infrastructure from Blast-RADIUS attacks.

netsh.exe nps set limitproxystate all = enable

netsh.exe nps set requiremsgauth all = enable

RRAS

When using Windows Server Routing and Remote Access (RRAS) without EAP, ensure the RADIUS server configuration always includes the Message-Authenticator. To configure this setting, open the Routing and Remote Access console (rrasmgmt.msc) on the RRAS server and perform the following steps.

  1. Right-click the VPN server and choose Properties.
  2. Select the Security tab.
  3. Click the Configure button next to the Authentication provider drop-down list.
  4. Highlight the RADIUS server and choose Edit.
  5. Check the box next to Always use message authenticator.

Repeat these steps for any additional configured RADIUS servers.

CLI

Administrators can implement this change at the command line by opening an elevated command window and entering the following command.

netsh.exe ras aaaa set authserver name = <name of RADIUS server> signature = enabled

For example:

netsh.exe ras aaaa set authserver name = nps.lab.richardhicks.net signature = enabled

New NPS Events

After installing the KB5040268 update on NPS servers, the NPS server will record event ID 4421 from the NPS source after a service start if the RequireMsgAuth or LimitProxyState settings are not configured.

“RequireMsgAuth and/or limitProxyState configuration is in Disable mode. These settings should be configured in Enable mode for security purposes.”

Optional Mitigation

If administrators cannot configure the above settings, consider using IPsec to secure network traffic at the transport layer. IPsec will protect all RADIUS traffic at the network layer to mitigate Blast-RADIUS attacks. Unfortunately, Windows Server NPS does not support TLS or DTLS, so IPsec is your only option.

Summary

Always On VPN is not vulnerable to the Blast-RADIUS attack. However, NPS is commonly a shared service in many organizations, and other workloads may use older, vulnerable protocols. Consider implementing the changes detailed in KB5040268 as outlined in above to ensure the integrity of your environment and mitigate these potential attacks.

More Information

Microsoft KB5040268: how to manage Access-Request packets attack vulnerability associated with CVE-2024-3596

RADIUS Protocol Vulnerability Exposes Networks to MitM Attacks

New Blast-RADIUS attack breaks 30-year-old protocol used in networks everywhere

Overview of Microsoft Protected Extensible Authentication Protocol (PEAP)

Always On VPN NPS Auditing and Logging