Microsoft has released the October 2024 security updates, and numerous issues may impact Always On VPN administrators. Although many CVEs affect Always On VPN-related services that are Remote Code Execution (RCE) vulnerabilities, none are critical this cycle.
RRAS Updates
This month, Microsoft has provided 12 updates for the Windows Server Routing and Remote Access Service (RRAS), commonly deployed to support Always On VPN deployments. Most of these CVEs involve overflow vulnerabilities (heap and stack), input validation weaknesses, and buffer over-read and overflow vulnerabilities. All are rated important, and there are no known exploits currently.
CVE-2024-38212
CVE-2024-38261
CVE-2024-38265
CVE-2024-43453
CVE-2024-43549
CVE-2024-43564
CVE-2024-43589
CVE-2024-43592
CVE-2024-43593
CVE-2024-43607
CVE-2024-43608
CVE-2024-43611
Related Updates
In addition to the updates above, Microsoft also released fixes for security vulnerabilities in various related services that are important to Always On VPN administrators.
Windows Network Address Translation (NAT)
The following CVEs address denial of service vulnerabilities in the Network Address Translation (NAT) service.
CVE-2024-43562
CVE-2024-43565
Certificate Services
Always On VPN administrators will also find updates for CVEs affecting various certificate services-related components.
CVE-2024-43545 – OCSP Denial of Service Vulnerability
CVE-2024-43541 – Simple Certificate Enrollment Protocol (SCEP) Denial of Service Vulnerability
CVE-2024-43544 – Simple Certificate Enrollment Protocol (SCEP) Denial of Service Vulnerability
Recommendations
Always On VPN administrators are encouraged to update systems as soon as possible. However, since none of the CVEs is rated Critical, updates can be applied during standard update windows.
Additional Information
Microsoft October 2024 Security Updates
Like this:
Like Loading...