Hey, Always On VPN administrators! It’s the second Tuesday of the month, which means security updates for Windows have been released. This month’s batch includes an update to address a critical vulnerability likely to affect many Always On VPN implementations using Windows Server.
SSTP Vulnerability
CVE-2023-24903 documents a vulnerability on Windows Servers with the Routing and Remote Access Service (RRAS) configured to support Secure Socket Tunneling Protocol (SSTP) for VPN connections. This is a remote code execution (RCE) vulnerability that can be exploited when an attacker sends a specifically crafted malicious packet to the server. Administrators are encouraged to update as soon as possible.
Mitigation
SSTP is commonly used for Always On VPN user tunnels. However, if administrators have configured user tunnels using IKEv2, or are using the device tunnel only, consider blocking inbound TCP 443 at the edge firewall to prevent attacks from the Internet. In addition, if SSTP is not in use, consider disabling support for SSTP by opening an elevated PowerShell command window and running the following commands.
netsh.exe RAS set wanports device = “WAN Miniport (SSTP)” rasinonly = disabled ddinout = disabled ddoutonly = disabled maxports = 0
Restart-Service RemoteAccess -PassThru
Alternatively, SSTP can be disabled in the RRAS management console by following the steps below.
- Open the RRAS management console (rrasmgmt.msc).
- Expand the server.
- Right-click Ports.
- Choose Properties.
- Highlight WAN Miniport (SSTP).
- Click Configure.
- Uncheck Remote access connections (inbound only).
- Uncheck Demand-dial routing connections (inbound and outbound).
- Enter 0 in the Maximum ports field.
- Click Ok.
Additional Information
Windows SSTP Remote Code Execution Vulnerability (CVE-2023-24903)
May 2023 Security Updates for Windows Server 2016 (KB5026363)
May 2023 Security Updates for Windows Server 2019 (KB5026362)
May 2023 Security Updates for Windows Server 2022 (KB5026370)
