The Microsoft security updates for June 2024 have now been published. Reviewing the list of bulletins shows three security updates of importance to Always On VPN administrators. Two affect the Windows Server Routing and Remote Access (RRAS) service, and one affects the Remote Access Connection Manager (RasMan) service. None of the updates are critical this month, which is good news.
RRAS
The following are the two security updates from this month’s cycle affecting Windows Server RRAS.
CVE-2024-30094 – Windows RRAS Remote Code Execution Vulnerability (Important)
CVE-2024-30095 – Windows RRAS Remote Code Execution Vulnerability (Important)
RasMan
The following security update affects the Remote Access Connection Manager (RasMan) service on Windows Server systems.
CVE-2024-30069 – Windows Remote Access Connection Manager Information Disclosure Vulnerability (Important)
Recommendations
None of the security vulnerabilities disclosed this month are critical and require local access to the system to take advantage of the exploit. However, administrators should update their systems as soon as possible.
The latest release of PowerON Platforms’Always On VPN Dynamic Profile Configurator (DPC), version 4.3.1, is now available for download. This recent update includes fixes for previously known issues. In addition, it contains some critical new features administrators will find helpful in addressing the challenges they face with Always On VPN client configuration.
What Is DPC?
Always On VPN DPC is a solution to manage Always On VPN client configuration settings. It was originally designed to be used with on-premises Active Directory but can also be deployed with Microsoft Intune. DPC streamlines the configuration and management of client settings and includes many advanced features to fine-tune and optimize Always On VPN.
What’s New in 4.3.1
The following essential features are new in the 4.3.1 release of DPC.
Add Device Tunnel Routes to User Tunnel
Always On VPN administrators can now configure DPC to add device tunnel routes to the user tunnel automatically. This configuration option ensures that all traffic flows of the user tunnel when both user and device tunnels are established.
Note: This feature also requires administrators to define route metric options in DPC. Ensure the user tunnel route metrics are set to a lower value than the device tunnel metrics for proper operation.
Restart RasMan
Always On VPN connections occasionally fail with error 602 (ERROR_PORT_ALREADY_OPEN). The workaround for this is to restart the RasMan service on the endpoint. DPC now supports automatically restarting the RasMan service when this error occurs, ensuring reliable operation for Always On VPN connections.
Machine Certificate Filtering
DPC 4.3.1 now includes a feature to allow administrators to enable machine certificate filtering for Always On VPN device tunnels. This addresses a challenge when the endpoint has multiple machine certificates in its local computer certificate store when the VPN server is configured to accept a certificate with a specific custom application policy (EKU).
Additional Features
In addition, the updated DPC agent core service now run as x64 processes. Also, DPC now supports VPN server FQDNs longer than 63 characters (good news for those using DPC with Azure VPN gateway!).
Download DPC
For those customers currently licensed for Always On VPN DPC you can download the latest release here.
Once again, Microsoft has released its monthly security updates. For May 2024, there are several vulnerabilities in services related to Always On VPN that administrators will want to pay close attention to. Microsoft has identified known issues in the Routing and Remote Access Service (RRAS) and the Remote Access Connection Manager (RasMan) service for this release cycle.
RRAS
This month, Microsoft published seven security fixes for vulnerabilities discovered in RRAS. All seven are Remote Code Execution (RCE) vulnerabilities rated Important. In addition, all vulnerabilities in RRAS require specific information about the environment for compromise, mitigating some of the exposure.
In addition to the updates for vulnerabilities in RRAS, Microsoft also released a security fix for issues identified in the Remote Access Connection Manager (RasMan) service. This update is marked Important but is not an RCE.
Although the vulnerabilities in RRAS are remotely exploitable, they will require specific information for an attacker to compromise. The risk of targeted attacks is lower than opportunistic ones, but administrators are still urged to update as soon as possible.
